Bug Report – 2FA Reset Function Leaves Corrupted Data Causing Login Issues

  • Resolved jessicalynncodes

    (@jessicalynncodes)


    7 months, 2 weeks ago

    Hi WPMU DEV Support,

    I’ve discovered a bug in Defender Security’s “Reset two factor” functionality that leaves users in a corrupted state and unable to log in.

    Environment:

    • Defender Security version: 5.6.1
    • WordPress version: 6.8.3

    Issue Description: When an administrator uses the “Reset two factor” link from the Users list page (wp-admin/users.php) and that user only has “fallback email” set up for authentication, it only partially clears the user’s 2FA data. This leaves the user unable to log in and the option to reset 2FA disappears from the user interface.

    Steps to Reproduce:

    1. User sets up 2FA using the Fallback Email method
    2. Administrator clicks “Reset two factor” link for that user from Users list
    3. User attempts to log in – experiences issues or gets stuck in 2FA loop
    4. When user (or admin) views the user page in the admin, there are no details about enabled 2FA options nor link to reset 2FA
    5. In database, wd_2fa_default_provider and wd_2fa_enabled_providers are empty, but other 2FA meta remains

    Root Cause: The reset function in src/component/class-two-fa.php at lines 810-811 only clears two user meta fields:

    update_user_meta( $user_id, self::DEFAULT_PROVIDER_USER_KEY, '' );
update_user_meta( $user_id, self::ENABLED_PROVIDERS_USER_KEY, '' );

    However, it leaves behind:

    • wd_2fa_backup_email (stored as defenderAuthEmail)
    • wd_2fa_backup_code (stored as defenderBackupCode)
    • defender_two_fa_token
    • wd_2fa_attempt_fallback-email

    This partial cleanup creates a corrupted state where Defender thinks 2FA is disabled (empty providers) but authentication tokens and secrets still exist.

    Expected Behavior: The reset function should delete ALL 2FA-related user meta, similar to how the remove_data() function works in src/controller/class-two-factor.php (lines 1053-1070).

    Database Evidence: For the affected user, we found:

    • wd_2fa_default_provider: empty
    • wd_2fa_enabled_providers: empty
    • defenderAuthEmail: still has email address
    • defenderBackupCode: still has serialized backup codes
    • defender_two_fa_token: still has active token
    • wd_2fa_attempt_fallback-email: still has attempt counter

    Temporary Workaround: We resolved the issue by manually deleting all 2FA meta for the affected user via phpMyAdmin.

    Suggested Fix: The admin_notices() method should call a comprehensive cleanup function that removes all 2FA data for the user, not just the two provider fields. Consider creating a helper method like clear_user_2fa_data($user_id) that can be reused in multiple places.

    Impact: Users affected by this bug cannot log in and may be completely locked out if they don’t have database access. This is a critical issue for production sites.

    Please let me know if you need any additional information or access to reproduce this issue.

    Thank you!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Kris – WPMU DEV Support

    (@wpmudevsupport13)

    7 months, 2 weeks ago

    Hi @jessicalynncodes

    I hope you are doing well today.

    I have followed your steps and I’m not able to replicate this issue.

    1. I created editor role and I was able to log in to the site without any issue with Defender disabled
    2. As admin I have enabled Defender and 2FA without “Force Authentication” feature
    3. As editor user, after login I manually enabled Fallback Email method, and after log out I was able to log in again with my OTP code from the email
    4. As admin, I click on “Reset two factor” for that editor user, and as editor, I was able to log in without OTP code
    5. As admin I have enabled the “Force Authentication” for admins and editor roles.
    6. As editor I log in again and I was forced to set up method and again I pick up “Fallback Email” and I was able to log in
    7. As admin I click once again on “Reset two factor” for that editor role.
    8. As editor role, I try to log in, and again “Force Authentication” forced me to pick up the method. Again, I picked up the “Fallback Email” and I was able to log in after I entered the OTP code

    Can you let us know which other settings you have set up in 2FA? Maybe this is about the WooCommerce feature or a specific role? Let us know more details, so that we can be on the same page.

    Kind Regards,
    Kris

    Plugin Support Amin – WPMU DEV Support

    (@wpmudev-support2)

    7 months ago

    Hello @jessicalynncodes

    We haven’t heard from you in some time, so I will mark this thread as resolved. If you have any more questions or need further assistance, please let us know!

    Kind Regards,
    Amin

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Bug Report – 2FA Reset Function Leaves Corrupted Data Causing Login Issues’ is closed to new replies.