• Resolved alan

    (@f1alan)


    I’m currently on v3.1.1.2 and I tested v4.0.0 on our local mirror but got an “invalid provider” error. Currently on WordPress 7.0.0.

    I was able to login once after the update but after choosing to keep the legacy UI, I logged out and logged in again and got the “invalid provider” error. I tried switching to the new UI and that didn’t have the problem. I wasn’t confident enough to immediately move to the new UI so I have stayed on v3.1.1.2 for now.

    Is there any explanation for this difference between UI modes?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Lucian Padureanu

    (@lucianwpwhite)

    Hello @f1alan !

    That’s really unexpected for sure. I wasn’t able to reproduce this behavior on my end, so I’d like to gather a bit more information to help us narrow it down.

    Could you please let us know:

    • Which type of Passkey provider are you using (e.g. platform passkey such as Windows Hello, Touch ID, Face ID, or a security key such as YubiKey)?
    • Could you open your browser’s Developer Tools (F12), reproduce the issue, and share any errors shown in the Console tab?
    • Are you using the native WordPress login page, or a custom login form/page? If it’s a custom login, does the same issue occur on the default WordPress login page as well?
    • Which PHP version is the site running?
    • Are you using a 2FA method along with the passkeys or just passkeys alone? Can you elaborate on the method used if that’s the case etc.
    • Finally, can you confirm which WP 2FA version you upgraded from before testing 4.0.0?

    Once we have this information, we’ll be in a much better position to investigate the cause of the “invalid provider” error.

    Thread Starter alan

    (@f1alan)

    Thank you for your quick reply. Here are my answers to your questions.

    • Which type of Passkey provider are you using (e.g. platform passkey such as Windows Hello, Touch ID, Face ID, or a security key such as YubiKey)?
      • We don’t currently use Passkeys.
    • Could you open your browser’s Developer Tools (F12), reproduce the issue, and share any errors shown in the Console tab?
      • All I see in the console is “/wp-login.php?action=validate_2fa 500 (Internal Server Error)”.
    • Are you using the native WordPress login page, or a custom login form/page? If it’s a custom login, does the same issue occur on the default WordPress login page as well?
    • Which PHP version is the site running?
      • This is on PHP 8.2.29.
    • Are you using a 2FA method along with the passkeys or just passkeys alone? Can you elaborate on the method used if that’s the case etc.
      • We only use the 6-digit 2FA method.
    • Finally, can you confirm which WP 2FA version you upgraded from before testing 4.0.0?
      • 3.1.1.2

    Some further information. The way that I have been reproducing the problem is to select the option to stick with the current UI that pops up after the initial upgrade. Whilst still logged into the dashboard, I tried changing to the new UI from the plugin settings then I no longer get “invalid provider”, but I am not prompted for a 2FA code either. Also, I can’t re-enter the WP-2FA settings page after doing this (it just redirects to my user profile settings). The only way that I can successfully select the new UI is when I do it from the initial popup.

    Plugin Support Lucian Padureanu

    (@lucianwpwhite)

    Hello @f1alan,

    Thank you for the detailed answers, this helps a lot. The fact that you get “invalid provider” while only using TOTP method (and no passkeys at all) is exactly the odd part, and the 500 on validate_2fa tells us something is failing server side rather than in the browser.

    You are describing two separate problems here (the “invalid provider” error on the legacy UI, and the new UI not prompting for 2FA plus the settings page redirecting to your profile), so let’s start with the first one and dig into that 500 error:

    1. Please enable debug logging by adding this to your wp-config.php:
    define( 'WP_DEBUG', true );
    define( 'WP_DEBUG_LOG', true );
    define( 'WP_DEBUG_DISPLAY', false );
    1. Reproduce the “invalid provider” error, then check wp-content/debug.log and paste the PHP error(s) logged at that moment. That 500 will have a fatal error or exception behind it, and that is the single most useful thing you can send us.
    2. A screenshot of the login screen at the moment “invalid provider” appears would also help, so we can see exactly where in the flow it happens.
    3. Does this happen for all users on the site, or just your account? And if you temporarily enable another 2FA method (for example email OTP) for a test user, does that method fail the same way, or is it only TOTP?

    On the plugin conflict side, I agree wp-hide-security-enhancer is a reasonable suspect, since it rewrites login paths and filters exactly the kind of requests involved here. I understand it is not easy to disable, so let’s look at the debug.log first, as it may point us straight at the culprit without needing to touch it.

    The new UI behaviour you describe (no 2FA prompt and the settings page redirecting to your profile) is also not expected, and the fact that it only works when selected from the initial popup is a really useful detail.

    Let’s get to the bottom of the 500 first, since there is a fair chance the two share the same root cause.

    Thread Starter alan

    (@f1alan)

    Hi @lucianwpwhite,

    Thanks, the debugging tips that you provided were very helpful and I was able to pinpoint the issue on our server. The clue was in “/wp-content/plugins/wp-2fa/includes/classes/bacon/bacon-qr-code/src/Renderer/Image/SvgImageBackEnd.php” (lines 39-41) as it was looking for the XMLWriter class. The version of PHP on our local mirror was not built with –enable-xmlwriter. This became obvious when I created a test user and then couldn’t see the QR code to setup 2FA for it (as it needs XMLWriter to generate the image).

    This has never been a problem as we haven’t needed to scan the QR code on this local server before – it is usually done on the live server and therefore already configured by time it is mirrored. However, I rebuilt PHP with –enable-xmlwriter and the problem is resolved.

    Although I chose to keep the legacy UI, something must have changed as even though I didn’t have XMLWriter, it didn’t affect the login flow before. I don’t expect it will be a common issue but I hope this information is helpful. Edit: I tried to paste the error that I saw below for completeness but I don’t think it came through (it simply said “WP-2FA: Please contact the administrator for further assistance! Invalid provider.”).

    • This reply was modified 1 day, 22 hours ago by alan.
    • This reply was modified 1 day, 22 hours ago by alan.
    Plugin Support Lucian Padureanu

    (@lucianwpwhite)

    Thank you so much for the feedback, @f1alan! I’m really happy to hear everything is working again, and I’m confident this conversation will help other users who might run into something similar.

    It’s a bit unexpected what could have caused this, especially since nothing has changed on our end regarding passkeys. For now, we’ll treat it as an edge case and keep an eye out for any similar reports so we can investigate further if needed.

    I also wanted to thank you for all the time and effort you put into helping us debug this. The additional details you shared were extremely valuable, and we’ve noted everything down. We’ll do our best to improve the experience and prevent similar issues in future releases.

    Finally, if you’ve been happy with both the plugin and the support you’ve received, we’d really appreciate it if you could leave us a review. It only takes a minute, and it genuinely helps us out:

    https://wordpress.org/support/plugin/wp-2fa/reviews/#new-post

    Thanks again, and if you run into anything else, don’t hesitate to let us know!

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.