8000 Stuck on revalidate now loop · Issue #629 · WordPress/two-factor · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Stuck on revalidate now loop #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
igorradovanov opened this issue Aug 31, 2024 · 6 comments
Open

Stuck on revalidate now loop #629

igorradovanov opened this issue Aug 31, 2024 · 6 comments
Milestone
Future Release

Comments

@igorradovanov
Copy link

Describe the bug

In cases where email doesn't work, the plugin is stuck in "Revalidate Now" mode. The solution may be to allow changing the authentication method without requiring validation if email is the primary and only method currently set up with the two-factor plugin.

Steps to Reproduce

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. The next time I logged into the WordPress Dashboard, I found that my website was not sending emails (an issue on the hosting side). To regain access, I logged in via SFTP and removed the plugin folder.
  3. Now, I want to switch from email to the authenticator app, but the plugin won't allow this because it requires me to "revalidate the session," which I can't do since email delivery is still not working on the website.

Screenshots, screen recording, code snippet

Screenshot (7)

Environment information

  • WordPress 6.6.1, Twenty Twenty Four theme
  • Google Chrome browser on MacOS Sonoma

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes
@kasparsd
Copy link
Collaborator

I'm wondering if this should be the expected behaviour, and the email delivery should be fixed in order to regain access. Allowing any kind of override could be abused when the admins actually want to enforce the email second factor, for example.

The plugin now recommends enabling the backup codes which could be used in these instances.

@dd32
Copy link
Member
dd32 commented Sep 2, 2024

I'd suggest that the issue in this case is that Email can be activated as a 2FA method without confirmation that the user can receive emails.

Just like TOTP and Security keys require you to confirm with the device to set it up, email should too.

@jeffpaul jeffpaul added this to the Future Release milestone Sep 3, 2024
@kasparsd
Copy link
Collaborator

The user email is assumed to be valid by WP core since it is also used for password resets and other critical notifications. I feel like it would also add unnecessary friction to the setup flow if we enforced email validation.

I suggest we don't implement this.

@jeffpaul jeffpaul removed the Bug label Dec 3, 2024
@xanathon
Copy link

I have a similar problem. After first installtation options are greyed out and I am asked to revalidate. I then have to provide a TOTP code that does not yet exist.

@kasparsd
Copy link
Collaborator
kasparsd commented Jan 9, 2025

Seems to be a duplicate of (or at least related to) #572.

@zealdev
Copy link
zealdev commented May 28, 2025

I have a similar problem.

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. I was then presented with the Revalidate session button, which I clicked.
  3. I received the email authentication code successfully and input it into the field
  4. I was then brought back to the user profile page and the Revalidate session button is still there and the options are still greyed out. I click the button and the loop begins again.

I now cannot disable 2FA or change authentication method on my account without disabling the entire plugin. I have used this plugin on multiple other sites with no issue, this is the first time I have seen this. The only difference between them is that the site with this issue is a multisite. As well, when I look in the database the sites that are working have various _two_factor_ usermeta fields set, whereas in the multisite there aren't any usermeta fields at all beginning with _two_factor_

I am using WordPress version 6.8.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Release
Development

No branches or pull requests
6 participants
@kasparsd @dd32 @jeffpaul @igorradovanov @xanathon @zealdev
0