Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Activating multiple methods is confusing and can fail silently #157

Open
simonwheatley opened this issue Mar 27, 2017 · 3 comments
Open

Activating multiple methods is confusing and can fail silently #157

simonwheatley opened this issue Mar 27, 2017 · 3 comments
Milestone
Future Release

Comments

@simonwheatley
Copy link

What I did:

  1. Activated Two Factor on Engie on my sandbox only, logged in and navigated to my user profile…
  2. Checked “SMS”, “Backup Verification Codes”, and “Time Based One-time Password” methods
  3. Clicked “Update Profile”
  4. The edit profile page came back with “Two-Factor: You are out of backup codes and need to regenerate!”… no methods were checked
  5. It seems like if any method which you have checked fails it’s activation checks, then any new methods you have checked also fails activation.

Suggestions:

  • Consider moving Two Factor configuration to it’s own page; the user profile page is already crowded, and breaking this out might help make things clearer. Perhaps leave a link to the “configure two factor” page.
  • An explanatory admin notice to say that activating methods has failed
  • An explanatory admin notice for each failed method, explaining what needs to be done to get past this
@georgestephanis
Copy link
Collaborator

My hesitancy with breaking Two-Factor out onto its own admin page was that I didn't want to clutter the admin menu with an extra tab for users that don't use two-factor.

I'd be 100% fine breaking it out if we add some logic so that it's only displayed if they click a checkbox to enable two-factor authentication on their profile page or the like.

Maybe a single check to enable two-factor on the profile page, and then a subpage to configure it further? It's a bit complex, no matter how it's done. :\

@crstauf
Copy link

crstauf commented Dec 28, 2018

Could just be a link on the user's profile, and from there you turn on/off and setup (I don't see a need for it to be accessible from the admin menu).

@jeffpaul jeffpaul added this to the Future Release milestone Dec 2, 2024
@WordMessie
Copy link

I'd like to add that this happens the other way around too:

  1. Selecting "Authenticator App" and "Backup Verification Codes".
  2. Scanning QR code in authenticator app but NOT entering code from the app beneath the QR code in WordPress (because, for example, user just forgets or overlooks input field).
  3. Clicking "Save Profile".
  4. No error being thrown that "Authenticator App" has been selected but no auth code has been entered.
  5. Instead "Authenticator App" as an option is just unselected and "Backup Verification Codes is still selected.
  6. Also: "Backup Verification Codes" can be selected and User profile can successfully be saved and exited without ever clicking "generate new codes". This could lead to users locking themselves out by mistake.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Release
Development

No branches or pull requests
5 participants
@simonwheatley @georgestephanis @jeffpaul @crstauf @WordMessie