User locked out with 2FA

  • Resolved whaleman

    (@whaleman)


    8 months ago

    Hi,

    We have 2FA activated on our WordPress multisite which works fine for everyone except for one user. When she tries to log in she is correctly redirected to the page to fill her in 2FA code.

    However, when she does this she gets locked out of our site. In the backend I can see her IP has been blocked because the 2FA code has been appended to her username (e.g. Jane123456) so naturally Wordfence is saying the username is now incorrect.

    I am not sure how it’s doing this or why only this user. Maybe there an issue with her account (she just came back to it after a year away). I could just set a new one up for her.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    8 months ago

    Hi @whaleman, thanks for getting in touch.

    That’s behavior I’ve not seen before although initially looked similar to an alternate way users can log in with 2FA (by appending it manually to the end of the password). Firstly, I would ensure auto-fillers like password managers, other browser plugins, and local caches aren’t involved by getting the user to try again in a different browser, or a private/incognito window with browser extensions disabled. If it works, it’s not caused at your site’s end.

    We generally only recommend having Wordfence > All Options > Brute Force Protection > Immediately lock out invalid usernames checked if you’re the sole administrator. If you have an online store or other reason for a number of external users, simple typing errors will result in blocking legitimate users quite frequently. Of course, this is an unusual case but you could temporarily disable that and let us know if the user is told their username is invalid once the code is appended to the end.

    Let us know what you find out,
    Peter.

    Thread Starter whaleman

    (@whaleman)

    7 months, 4 weeks ago

    Hi Peter,

    As you suspected the Brute Force Protection was turned on to immediately lock out any invalid user names. I turned this off and asked my colleague to try again. This time it worked for her, she was able to log in with 2FA and all seems fine.

    I’m not sure why she was the only person to have this issue but will keep the setting turned off as you suggested as we many users regularly logging into the site.

    Many thanks for your help.

    George

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘User locked out with 2FA’ is closed to new replies.

Tags