DEFENDER: two factor authentication useless - as I can login even when activated

Hi Heroes

Defender lets me in even I have the two factor identification activated.
I installed defender - newest version
Activated two factor authentication
installed Google Authenticator on my iPhone
Logged out from the site
Went to login again
entered my credentials
and got logged in

No barcode appeared simply nothing at all!

Besides this, it is not possible to deactivate that feature again! So please advise how to deactivate that feature as a security which stands only on the paper is the biggest danger which could happen for a site admin and their users and can even have legal problems for the one who installed that feature!

Please check and solved that security issue immediately!

Kind regards
Andi

  • viobru

    Hi, Andi!

    Hope you're doing well today :slight_smile:

    I was repeating the process you have followed in a testing installation and I was able to replicate: I activated Defender's 2 Factor Authentication, installed Google Authenticator on my smartphone, and then I just logged out (not setting anything else) and I could log in again without problems, as if the 2 Factor Authentication feature was not activated.

    This is the normal behaviour of the plugin, as you can read in its documentation (https://premium.wpmudev.org/docs/wpmu-dev-plugins/defender/#chapter-4, where it says 'Where Your Users See':wink:. In order to have it working, you'll have to enable it in your user's profile page (see image attached).

    [image pos="0"]

    After following these steps it will start working.

    What I can see is that the 2 Factor Authentication is not enabled in your profile, so that's the reason why you're not seeing it when you log in on your site (see image attached).

    Could you please enable it on your profile's page and let me know if it worked? Note that if you enable it on your profile it will only affect you (if the other users want it working, they'll have to enable it in their profile). This feature can only be enabled by the logged in user (admins don't have permission to enable it to the other registered users of the site).

    On the other hand, as I tested on my site, there are two different ways of 'deactivating' the 2 Factor Authentication:

    - Every user can decide if he/she wants to have it enabled or not, and he/she can do it from his/her user profile page. So, if a user enables it and, for some reason, then he/she wants to disable it, he/she just have to go to his/her user profile page and disable it. This option will disable the 2 Factor Authentication only for that concrete user.
    - As the admin of your site, you can always completely deactivate the 2 Factor Authentication by going to the Defender's Advanced Tools tab (Defender -> Advanced Tools), clicking on 'Deactivate' at the end of the page and then on 'Save Settings' (see image attached). This option will affect every registered user of the site, so no one would have the option to use it.

    Looking forward to seeing your response.

    Regards,

    Violeta

  • Andi

    Thanks viobru

    I would suggest adding a hint to the installation of that plugin or even a pop up in the backend that t least one user has to be added so that the two-factor authentication is working. It does actually not really make sense this authentication if not everybody would be forced to use it, In a multisite, it would be simply much too easy to hack if one gets left out.

    Kind regards
    Andi

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.