Custom 2FA related issue

  • Resolved shamnas97

    (@shamnas97)


    3 months ago

    Hello,

    I’m using Easy Digital Downloads (EDD) for e-commerce management on my WordPress website and I’m also using your plugin. I noticed that a default 2FA option is not provided for platforms other than WordPress core login and WooCommerce, so I implemented a custom setup to allow my EDD customers to enable 2FA for additional security.

    To achieve this, I used the shortcode [wordfence_2fa_management] in the My Account section. From there, users can scan the QR code and activate 2FA using any authenticator app.

    Once a user completes the setup, their details are stored in the table wp_wfls_2fa_secrets, where the user ID is recorded. On the login page, I added an additional 2FA field along with the username and password fields. From my research and testing, it appears that when 2FA is activated, the login process expects the password combined with the 2FA code, and this workflow works correctly.

    However, some customers are reporting an issue. When they attempt to log in, they are asked for the 2FA code, even though they never activated 2FA from their My Account page and are not aware of any 2FA setup.

    When I checked the wp_wfls_2fa_secrets table, I noticed that their user IDs were already present there. To resolve the issue temporarily, I manually disabled 2FA for those specific users using a custom method.

    I would like to know:

    1. Is it possible that the [wordfence_2fa_management] shortcode could automatically trigger or partially enable 2FA without the user completing the full setup?
    2. Could this be related to caching or session-related issues, although the 2FA activation is a multi-step process, which makes this seem unlikely?
    3. Is there any recommended approach or hook to properly manage optional 2FA for custom login flows like this?

    I have spent quite some time investigating this issue but haven’t been able to identify the exact cause.

    Any clarification or guidance would be greatly appreciated.

    A faster reply would be appreciated as this is affecting some of my customers.

    Best regards,
    Shamnas

Viewing 1 replies (of 1 total)
  • Plugin Support wfmargaret

    (@wfmargaret)

    1 month ago

    Hi Shamnas,

    Thanks for reaching out, and I’m sorry for the delay in getting back to you!

    The [wordfence_2fa_management] shortcode itself doesn’t silently enroll users; it just renders the 2FA management UI on the page. Users still have to go through the standard enrollment flow inside that UI to actually activate 2FA, which requires entering a valid TOTP code from their authenticator app. Loading the shortcode doesn’t trigger any database write on its own.

    Caching or sessions wouldn’t account for rows appearing in wfls_2fa_secrets either. Rows only get written when a user activates through the enrollment flow above.

    For your third question about integrating optional 2FA into a custom login flow, that side of things is custom development and, unfortunately, falls outside what we can help with from the support side. A developer familiar with your EDD login customization would be your best bet there.

    Thanks,
    Margaret

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.

Tags