With “Theme My Login”, goes to 2FA steps even with wrong pass

  • Resolved Ced

    (@cedriccharles)


    3 years, 5 months ago

    Hello there 🙂 !

    I hope you’re fine?
    I’m using your free version of the plugin with TML (plan to take the premium version in a few days, but want to be sure it will word with my setup before buying it).

    In the front-end form, if I enter a wrong password but a good email address, it goes to the 2FA step. Than, if I enter the right 2FA code, it goes back to the first step telling me that the password is wrong. But if the password was wrong, it shouldn’t go to the 2FA step…

    I’ve read this thread: https://wordpress.org/support/topic/no-wrong-passwords-arent-accepted/, but it’s not sending the right password, no cache/extension to manage the passwords.

    Thank you in advance,
    Cedric

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author David Anderson

    (@davidanderson)

    3 years, 5 months ago

    > But if the password was wrong, it shouldn’t go to the 2FA step…

    No credentials is sent to the back-end until you have entered both password and TFA code. They are not “steps” as such. It is just a way of avoiding presenting the TFA input field to users who don’t have TFA enabled. (Lots of other TFA plugins show the input field on the login form to everyone, which confuses users who’ve not set up TFA).

    I can see that someone would say that they would like the password to be checked first. There are trade-offs both ways. People who don’t know the password are more likely to be attackers, so they’re the ones inconvenienced. People who know the password aren’t going to be inconvenienced.

    David

    Thread Starter Ced

    (@cedriccharles)

    3 years, 5 months ago

    Hello David,

    Thank you for your answer. People who know the password can be inconvenienced, if they make a typo in their password, what can happen… In fact, I don’t really see when it’s useful to go the the 2FA “step” with a wrong password, do you?

    Plugin Author David Anderson

    (@davidanderson)

    3 years, 5 months ago

    Hi Cédric,

    Practically speaking, we have neither the resources nor the inclination to re-engineer it (I think you might be the second person over the years to mention it). The way it works currently means that we didn’t need to invent a new WordPress password-authentication flow “under the hood” (i.e. in the internals). Doing it the way you propose would involve that.

    If it’s a deal-breaker for you, you’ll want to see if there’s a different plugin that is closer to what yo uwant. Alternatively, if it matters enough that you’d be willing to commercially fund the work necessary to change it, then please visit us at http://www.simbahosting.co.uk, and use the contact form to request a quote.

    Best wishes,
    David

    Thread Starter Ced

    (@cedriccharles)

    3 years, 5 months ago

    What a fast answer !!! Thank you David 🙂 !
    I’ll contact you 😉 !

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘With “Theme My Login”, goes to 2FA steps even with wrong pass’ is closed to new replies.