Thank you for using our plugin @msstm
Users have to configure 2FA themselves, so even if you enforce 2FA on them, if they do not log their 2FA will remain non-configured. Even if you set the grace period to 3 days.
This is exactly what is happening in your situation – you’ve enforced 2FA and users have not accessed the website since you’ve configured these policies. Can you double check and confirm with these users, and maybe ask some of them to try to log in now?
If they do, they will be prompted to configure 2FA right away.
Please let us know if you need any additional information.
Thread Starter
msstm
(@msstm)
Hi, I don’t think that’s what happened.
Some of these users are logging in every day and are very active publishing stuff.
“It looks like I had left users see the “remove 2FA button” on their profile.
Maybe that’s why, how can I enforce it on them again?
That is strange that users can log in without 2FA, even if you left the Remove 2FA button. If users are required to configure 2FA via policies, and they remove 2FA the plugin will prompt them again to configure 2FA.
Are they logging in to the standard WordPress dashboard or the users do not have access to the dashboard?
Do you know if they get any notifications about 2FA as well?
Also, can you please confirm what version of WordPress and WP 2FA plugin are you running?
Looking forward to hearing from you.
Thread Starter
msstm
(@msstm)
Then I really don’t know how that happened.
They use the standard WP dashboard.
I use the very latest version of WP and all plugins.
I don’t know if they get notifications but they’ve never mentioned that to me. I’ll ask.
Hello @msstm
You can do a quick test yourself;
- Create a user which has 2FA enforced on it
- Log in and configure 2FA
- Click “Remove 2FA”
- Log out and log back in
You should be prompted to configure 2FA again. Is this working on your website?