Authentication codes keep resetting

Hello again @jzilberberg,

My name is Lucian, and I’m part of the Melapress Support team. I’ll be assisting you moving forward.

Regarding your question: “However, they need to have the correct time of the configured timezone.” Can you please clarify?”

Here’s an example to illustrate:

1. Suppose the server/site time at login is 4:02 PM.
2. The time on your mobile device or laptop generator code app (where the 2FA codes are generated) is 4:03 PM.

Even a small time difference like this can cause authentication failures, as the encryption process relies on precise time synchronization. While the configured timezone does not affect this, the actual time must be correct and in sync across all devices involved in the 2FA process.

While this is the most common cause of such inconsistent problems (invalid 2FA codes), if you can confirm that all these components have the time in sync, we can then explore further causes of this unexpected behavior.

I hope this helps and let me know if you need further clarification!

Hello again, @jzilberberg!

Thank you for confirming that!

Since everything we’ve checked so far suggests this is not a timing issue, let’s go back to your initial observation: “After a while, an intermittent time period, the authentication codes stop working.”

1. Can you recall any specific actions that occur before the codes stop working?
   
   For example, do you perform any site maintenance tasks, such as migrating the site between staging and production or applying updates?
   Please note that if you are moving the website between environments (e.g., staging to production and vice versa), you must ensure that the encryption setup remains intact. This means keeping the plugin disabled during migration and ensuring encryption-related components are preserved.
   
   You can find more details on this here: WP 2FA Migration Guide
   
2. If migration is not the cause, could you check if all 2FA methods are affected or only the authenticator app codes?
   • As a quick test, try setting up a new user with both the Code via Email method and Backup Codes enabled.
   • When/if the initial problem happens again with the OTP via app user, let’s see if this new user also encounters the issue when logging in with both methods.

This will help us determine if the issue is specific to the authenticator app or something broader.

Looking forward to your feedback!

Hi @jzilberberg,

Thanks for the confirmation regarding the migration! Sure, keep me posted on your findings.

In the meantime, I’d recommend keeping a backup copy of the wp_2fa prefixed entries in the wp_usermeta table (at least for the user you’re testing with) and also the 2FA encryption key stored in wp-config.php. You can find more details on this in the article I shared earlier.

If the issue reoccurs, check whether any of these values have changed. A change in either could break/reset the encryption which will render all codes invalid. If that’s the case, identifying what’s causing these changes to our plugin data, will surely pinpoint the culprit.

Looking forward to your updates!

Hi @jzilberberg,

Thanks for bringing this up!

We’re aware that in some cases, duplicate WP 2FA encryption key entries may appear in the wp-config.php file. This typically happens when a site is migrated from staging to production (or vice versa) while the plugin is still active but there might be some other causes as well (it’s hard to pin point an exact cause, as we were never able to reproduce this constantly on our testing environments).

Would you be able to recall when and how these duplicate lines appeared in your case? Understanding the exact conditions in which this occurs will help confirm if it’s the same situation we’ve encountered before.

That said, we already have an internal ticket for this, and we’ve made improvements to prevent this from happening in future updates, and while I cannot offer an exact estimate of the release date, that should be in the near future.

If there are any other questions, feel free to reach out!

Hello again @jzilberberg!

Thank you for the clarification regarding the comments inside the wp-config.php file.
That’s certainly unexpected, but you can safely remove them and monitor when (or if) they reappear, so we can investigate further if needed.

Regarding your second question, we cannot provide support or recommendations for custom implementations like this. However, I would strongly advise against implementing this setup. The encryption key stored in wp-config.php is only one part of the encryption mechanism—WP 2FA also relies on encrypted user data stored in the database (usermeta table) which are generated based on the encrypt key found in the wp-config.php file.

Changing the key dynamically based on environment conditions can lead to complications, such as breaking the encryption, making 2FA data inaccessible, and potentially locking users out.

If you need a setup that works across multiple environments, I would recommend ensuring that the encryption key (+wp_2fa usermeta values) remains consistent across dev and production rather than conditionally redefining it.

Of course, if it happens that you might find a workaround that works for you, feel free to share it here as it might help others who might experience a similar case.

Let me know if you have any other questions!