WordPress.org

Ready to get started?Download WordPress

Forums

Google Authenticator
[resolved] Is action on failed login safe? (4 posts)

  1. barthat
    Member
    Posted 7 months ago #

    Hi Henrik,

    Thanks for this plugin.

    I have a concern about the behaviour on failed login attempts (with incorrect Google Authentication Code). Currently an error message is shown ERROR: The Google Authenticator code is incorrect or has expired.

    I don't think this is good security practice as it specifies where authentication fails (i.e user name and password were ok).

    By the way I use you plugin with on Windows with the following app which is also available on other platforms https://marketplace.firefox.com/app/gauth-authenticator/

    http://wordpress.org/plugins/google-authenticator/

  2. Henrik Schack
    Member
    Plugin Author

    Posted 7 months ago #

    Originally I didn't reveal any information about what went wrong in case of a failed login. I was then contacted by a WordPress developer that informed that was not the WordPress way of doing things.
    Then I changed it to the current state.

    It's kinda hard to make everyone happy :-)

    Best regards
    Henrik Schack

  3. barthat
    Member
    Posted 7 months ago #

    Yes, given that WP have the failed login 'shake' they don't seem to think this is a security issue which is baffling to me.

    Would it be difficult for you to make this as an option so they people can choose for themselves?

    Thanks.

  4. Henrik Schack
    Member
    Plugin Author

    Posted 3 months ago #

    No it would not be that hard, but another side effect would be the amount of email I would get when people forget their password :-(

    Best regards
    Henrik Schack

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.