Title: Plugin allows username enumeration Last modified: January 8, 2018 --- # Plugin allows username enumeration * Resolved [sdundee](https://wordpress.org/support/users/sdundee/) * (@sdundee) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/) * This plugin works really well, but unfortunately it allows username enumeration as it only allows users to progress to the 2FA if their username exists in the DB. * This sounds like a good idea, but the problem is that users progress to the 2FA even if their password is incorrect. This allows enumeration (guessing) of usernames. * Ideally the plugin should only allow users to progress to the 2FA prompt if both their username and password is correct. I’m looking at implementing this myself using hooks if possible, but I think it would be best if this was included in the plugin by default (It looks like this would require modifications to the ` preAuth` method of the `Simba_TFA` class). Viewing 7 replies - 1 through 7 (of 7 total) * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844521) * I don’t see how the thing which you want to do is achieved, or done any differently, by your suggested solution. * If someone enters a valid username, and a wrong password (whether without installing this TFA plugin, or after activating it and including a (right or wrong) TFA code), then WP sends back the message “The password you entered for the username( X) is incorrect.” Whether it says that *before* entering the TFA code, or *after* does not make any difference to the fact that WP’s “wrong password” response indicates that you guessed the existence of the username (X). * David * Thread Starter [sdundee](https://wordpress.org/support/users/sdundee/) * (@sdundee) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844535) * Hi David, * Thanks for the quick response. * I think you’re right yes, I’m getting in a muddle myself with other code we’ve added to prevent enumeration in that respect. * In any case, I don’t think this is actually a relevant issue as it’s specific to code that we’ve written to modify the login functionality. * Thanks for you help! * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844579) * [@sdundee](https://wordpress.org/support/users/sdundee/) * No problem! * Do feel free to send patches to add any hooks you want to the plugin… hooks are always harmless, and we’re happy if they help. * If you think that the plugin is worth 5 stars, then please do take a moment to give us a review – [https://wordpress.org/support/plugin/two-factor-authentication/reviews/#new-post](https://wordpress.org/support/plugin/two-factor-authentication/reviews/#new-post).( If not, please let us know why not… reviews less than 5 stars bring our average down!). * David * Thread Starter [sdundee](https://wordpress.org/support/users/sdundee/) * (@sdundee) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844748) * Hi David, * Actually, I’ve investigated this some more – I ended up setting up an WordPress install with only your plugin installed. * With the plugin disabled, WordPress indeed sets the message you describe, but if you enable the plugin for a specific user, then try logging in as that user with an incorrect password, you are still forwarded to the page asking for the two factor token. Only after entering this are you informed that your password is incorrect. * It looks like the plugin is executing this code before the password is checked, rather than after it’s checked. * So it looks like this is indeed a bug. * Kind Regards Sean * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844776) * Hi Sean, * Why is that a bug, according to you? At the most, it seems to be a personal preference. In the preference of other users, it’s undesirable if someone who doesn’t know the password gets informed of their mistake prior to being asked for the TFA code, on an account that has TFA activated. * But in fact, technically, it has to be the way it is. The transition to asking for the TFA code does not send off any secrets (only the username). The secrets( i.e. password) are only sent when the form is submitted, once. That means that the plugin can remain compatible with any other things that the user puts on their login form (e.g. adds a captcha, adds a requirement to scan a barcode, etc.). If we sent off the credentials one-by-one, instead of all-at-once, it could compromise other security schemes that the user might have added (e.g. if there’s a captcha, then you don’t want an API that allows someone to test a username/password via a back-door in the TFA plugin that verifies the username/ password independently of other login steps). Remember that we’re trying to remain compatible with hundreds of other plugins that modify the login process in all sorts of ways. * David * Thread Starter [sdundee](https://wordpress.org/support/users/sdundee/) * (@sdundee) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9844837) * Hi David, * From a security perspective I don’t think this is ideal, because it allows username enumeration. Which means that you can confirm whether or not a username exists in the database; if you proceed to the 2FA page then the username exists, if it doesn’t then you’re presented with an error message. (The OWASP description is much better and more detailed than mine: [https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)](https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002))) * Unfortunately WordPress already allows this sort of enumeration by default, although there are ways to fix this using a few of the security plugins available. * That said, I do understand why a solution to this problem is difficult, especially after looking at the code and reading your explanation. I can’t think of any easy or obvious way to fix this, that doesn’t necessarily mean that this isn’t a valid bug though (even if it might be categorised as low priority). * Thanks for your response. * Kind Regards Sean * Plugin Author [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * (@davidanderson) * [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9845607) * Hi Sean, * If it’s important to you, I think you could fairly easily modify the process so that the “does this username have TFA?” question that the front-end JavaScript asks is always answered by the WP back-end with “Yes”, regardless of the true answer. You could then either train users who don’t have TFA to just leave it blank, or adjust the informational text so that it tells them to do that. * To do that, you should just hook the events that the plugin hooks (the ones that go into tfaInitLogin()) with a higher priority, and echo your “fake” answer, and then die(). So, your code would get in there and answer “yes” before the plugin replies. * David Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘Plugin allows username enumeration’ is closed to new replies. * ![](https://ps.w.org/two-factor-authentication/assets/icon-256x256.png?rev=1116775) * [Two Factor Authentication](https://wordpress.org/plugins/two-factor-authentication/) * [Frequently Asked Questions](https://wordpress.org/plugins/two-factor-authentication/#faq) * [Support Threads](https://wordpress.org/support/plugin/two-factor-authentication/) * [Active Topics](https://wordpress.org/support/plugin/two-factor-authentication/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/two-factor-authentication/unresolved/) * [Reviews](https://wordpress.org/support/plugin/two-factor-authentication/reviews/) * 7 replies * 2 participants * Last reply from: [David Anderson / Team Updraft](https://wordpress.org/support/users/davidanderson/) * Last activity: [8 years, 2 months ago](https://wordpress.org/support/topic/plugin-allows-username-enumeration/#post-9845607) * Status: resolved