Support » Plugin: Two Factor Authentication » TFA fails with CloudFront CDN for one user alone

  • Resolved mvenkadesan



    I have a WooCommerce site with the TFA plugin. There are two admin users, and I was using TFA with no problem whatsoever for both users. However, today, after a WooCommerce update, TFA no longer works for one user. It is fine for the other user. I verified that I was using the correct code from the specific user’s TFA. I also cross-verified that the Google Authenticator code matched that shown on the user’s TFA setup page.

    I started to suspect that something else was going on. So, I looked into AWS CloudFront CDN. My site uses acceleration using a CDN. The www. URL is the alternate one that is routed through the CDN and the naked domain goes directly to the server. When I try logging in at there are no issues with TFA for both users. However, if I try the same with one user’s access is broken. If it helps, that is also the user to whose account my site’s JetPack is connected to. I have searched a lot and cannot find what is going on. Any help? I do not want to have an admin user without TFA.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author David Anderson



    Please describe the symptoms of the failure…. all you’ve said above about the actual symptoms experienced is ‘no longer works’ and ‘is broken’, which is not enough to respond to.


    Plugin Author David Anderson


    Depending on that, the next thing to check might be the network communications – look in your browser’s developer tools to see what is sent and received during the login process.

    Sorry for the lack of details. The problem resolved itself and I will document here the precise things that I did, although it is mysterious to me why it resolved itself.

    Note that every attempt that I describe below was in its own protected window in two different browsers (Chrome’s incognito, Safari’s private window) so that there is no sharing of the cache. I also tried swapping out the browsers with no difference.

    First, when it is broken, which happens when the same user visits I am presented first with the option to login with or by providing a username and password. I choose the latter. I am then presented with a screen asking for my “One Time Password (i.e. 2FA)”. When I enter the code generated by Google Authenticator on my phone, I receive a message that says, “Error: The one-time password (TFA code) you entered was incorrect.”

    Second, the behavior when things are fine and I can login by visiting At the login page, I choose to go with username and password instead of Then, I am asked for the TFA code that I find from my phone’s Google Authenticator and enter. This takes me to the admin screen, as it should.

    If I go to a new screen and try to access www. I get the same message that the TFA was incorrect. So, the order in which I try the two did not matter.

    Now for what I did next, which appears to have resolved the issue.

    To ensure that I am not inducing errors in typing the TFA code, I opened two incognito windows side-by-side (in two different browsers) and tried the two URLs together. So, I used the same TFA code in both of them by being fast enough. Now both of them worked fine and let me in. After this, when I tried each method individually in different browsers (www. or naked domain), both worked fine. The problem appears to have resolved itself!

    Plugin Author David Anderson


    Ok – glad it’s now working. If it stops again, then please open a new topic, and use the network tools in the web browser to analyse what is sent + received in the TFA conversation.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.