Simple report Two Factor Authentication problem

  • Resolved hernan2022

    (@hernan2022)


    1 year, 5 months ago

    Hi, the plugin is great, I just wanted to report a small issue with the Two Factor Authentication

    In a project the first thing I did was enable Two Factor Authentication ONLY by App. I prefer it this way, I feel that enabling it by email is a vulnerability (I understand that it is a bit exaggerated, it is a very unfortunate scenario to be hacked with WordPress password and at the same time be hacked in email)

    But it makes sense to me aiming for maximum security to enable only the App as Two Factor Authentication. The thing is that the plugin doesn’t allow you to finish setting up Two Factor Authentication with a single method

    It took me a while to realize that this was the problem, I temporarily enabled email and finally left it as the only method of the app. The “continue” button is not clickable until you select two methods at least.

    Maybe it’s not a bug and it’s an intentional decision on the part of the plugin, but if that were the case it should display a warning or force the enabling of at least two modes of Two Factor Authentication

    If this is intentional, it should be better informed or prevent the user from selecting a single authentication method (I think that the possibility of a single method should be maintained, so that the only traditional way of logging in is with the physical phone in the pocket, on sinle App Method)

    Thanks, greetings!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support chandelierrr

    (@shanedelierrr)

    1 year, 5 months ago

    Hi @hernan2022,

    First, let me thank you for sharing your feedback on Solid Security’s Two-Factor Authentication feature. I’m glad you found the plugin helpful!

    I can confirm that the “Continue” button is indeed intended to be disabled during 2FA Onboarding when a user opts for the Mobile App method only. This is in place in case the Mobile App method is unavailable during log-in or the user does not have access to the Mobile App.

    Still, I completely understand your perspective on aiming for maximum security. There is actually an existing feature request for this in our internal tracking system, so I have added a vote for you there. We value your feedback, so if you have any follow-up suggestions for this, please let me know.

    We appreciate your input!

    Thread Starter hernan2022

    (@hernan2022)

    1 year, 5 months ago

    Thank you very much for your reply, I have actually thought about this myself and have decided to save emergency access codes. I have some ideas for forcing login in case I lose my smartphone (probably the easiest way is to delete the plugin via ftp) but it is an unnecessary complication or risk

    It makes sense to have two ways to verify login, maybe the easiest thing would be to just tell the user that at least two verification modes are recommended or required. A simple notice in the settings should be enough

    But in any case thanks for your reply, greetings

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Simple report Two Factor Authentication problem’ is closed to new replies.