nonce with 2FA

  • Resolved heymasa

    (@heymasa)


    2 years, 11 months ago

    Hi there,

    I set up 2FA with wordfence but I realized that when user submit 2FA value, there is no nonce value. I just wonder it’s possible to add nonce function on the submission.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    2 years, 11 months ago

    Hi @heymasa, appreciate you getting in touch!

    I’ve spoken with the development and QA team about your query here, where it’s been mentioned that a nonce wouldn’t add any significant protection to the login process.

    Typically in WordPress, they’re used to prevent CSRF (Cross-Site Request Forgery), validating the intent of a logged-in user. As these attacks take advantage of an authenticated user’s access and the user is not yet authenticated at the login page, any malicious actors would need the user’s credentials (including 2FA codes) to make that request.

    Thanks,
    Peter.

Viewing 1 replies (of 1 total)

The topic ‘nonce with 2FA’ is closed to new replies.

Tags