Support » Plugin: Google Authenticator » NO SECURITY – any 6 digit code will silently pass

  • This plugin only presents a UI/facade of security. It’ll prompt you for a 6 digit PIN during login, but any 6 digit pin is accepted as correct and you can login !!

    This needs to be looked into as a bug/compatibility issue or something because it’s a very serious defect.

    There is another plugin “Two Factor” which when installed into the same installation works just as expected (and is honestly better with email, yubikey etc support).

    • This topic was modified 3 months, 2 weeks ago by  user48958.
    • This topic was modified 3 months, 2 weeks ago by  user48958.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi, did you also set up the plugin for the profile in question? If you don’t enable the security features per profile then it will not work.

    I have this plugin installed in a few websites without any issues.

    Kind regards

    Yes, it was setup by the previous administrator and was enabled for all important users. I can confirm it worked in the past but was entirely broken recently. To be honest, we couldn’t believe it.

    Not sure if it’s incompatible with the latest wordpress or if something broke during this plugin’s standard upgrade path or if it’s something else entirely.

    The fatal issue is silent failures – the failure of an important security feature should always be “in your face” and defaults etc should be biased towards that. Ideally, the plugin should present the 2FA prompt only for accounts that have 2FA enabled. Till that’s fixed in the UI (as a 2 stage login), a quick fix would be to NOT ignore any code that’s submitted (check 6 digits long and if you get a code for an account without 2FA enabled, abort + warn).

    Collaborating with the “Two Factor” plugin authors isn’t a bad idea either; their implementation covers yubikeys and the login UI is done correctly as a 2 stage process.

    My $0.02

    Hi, if this plugin is not working for you then perhaps the following two factor might work better.

    Kind regards

    Thanks, we did migrate to it.

    But I’m worried that you have a large number of installs and there are other reports of this issue too. So if you don’t plan on investigating and resolving this security vulnerability, a socially responsible thing to do would be to de-list this plugin and educate people on migrating away via an upgrade alert. I say that in good faith – no disrespect.

    This has come up before many time, and ever time it’s turned out to be that the reporter assumed that the plugin would start working just because it was activated, which is incorrect.

    In order for the plugin to work, each user needs to edit their profile and enable the setting, then configure their phone.

    It’s a confusing user experience, but not a security bug.

    Oh, my bad, I missed that you said earlier that you’d already done that. I re-tested this just to be sure, and wasn’t able to reproduce the bug. I wonder if there was a conflict with another plugin?

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this review.