It deserve 5 star

Useless bro delete this plugin please. Just useless.

Please can you explain what you’re trying to say? It sounds like you’re saying that if someone does this…

1) Enters a username
2) Enters a *wrong* password
3) Enters a *correct* TFA code

… then they will be logged in. However, I’ve just tried that on three sites with this plugin, and that does not happen. They all give the expected result: “The password you entered for the username (X) is incorrect.”

So, please can you explain more?

If the above *is* happening for you, then the cause must be something else that you have installed. Have you tried it with no other plugins active? Or perhaps you are trying a different plugin to the one you’ve reviewed??

In all cases, it’s much better to report any issues you are having in the support forum – https://www.ads-software.com/support/plugin/two-factor-authentication/ – so that they can be investigated, before posting alarming things that may impact thousands of other users (see the WP guidelines here, for which the principles apply to plugins too: https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/ ).

David

Exactly, but it happens with me I am useing wp 4.9.1

Does it happen if you de-activate all other plugins and switch to a default theme?

Two of the three sites I tested are WP 4.9.1.

David

BTW, it should be noted that it’s not the TFA plugin which checks passwords. That’s WordPress. The TFA plugin is only adding an *extra* roadblock (checking the TFA code) – it leaves all the password checking to WP (and any other plugins that want to get involved). I’ve just re-read the code to double-check that. (And hence it’s possible that your problem, whatever it’s caused by, may still exist even without the TFA plugin, depending on how it’s being caused).

Can you give a list of your installed plugins? At least, if someone else has the same problem, then that’ll make it easier to identify the culprit.

Hi @newoabp,

After further research, we have established that there is no problem in the plugin. It’s your LastPass password manager, which is automatically sending the correct password, even though you typed in the wrong one.

Please can you change your review?

Details as follows…

I asked a team of people to try to reproduce this problem on any websites they had. Finally, somebody did reproduce the problem. I then tried to log in on the same site… but the “bug” did not happen for me. We then cloned the site to a new URL… then the “bug” did not happen for either of us. Then we looked into LastPass. He has it; I don’t. He turned off LastPass and…. the it no longer happens. We discovered that LastPass is actually automatically re-inserting the correct password. This can be verified by using your web browser’s Developer Tools to inspect the pay-load sent when logging in… if you have LastPass activated, you’ll see that it sends the correct password, regardless of what you typed in.

Best wishes,
David

So unfair folks give you terrible rating and don’t bother replying.
You seem to provide great and fast support!

@tekgirlymama Thank you for your kindness! If you’ve had a positive experience with the plugin, then please do consider placing a review (form at the bottom of this page: https://www.ads-software.com/support/plugin/two-factor-authentication/reviews/)

Moderator – IIRC, I read somewhere that one of the only times that a review will be removed is if it’s just entirely, objectively false. In this case, the reviewer reported that the plugin caused WP to accept a wrong password. But in reality, testing (with other users who reproduced it, including inspecting the POST pay-load -https://www.ads-software.com/support/topic/just-as-newoabp-stated/) has established that the LastPass password manager extension in the user’s browser is over-riding, and is sending the correct password.

Hi David, let’s me check it. I will reply with a comment very soon.

It’s still same. Listen everyone don’t use this plugin. It’s less secure your wordpress website. In this report I am telling you how. Enable 2 factor. Now if you logged in please logout. Give your correct username. Give any password which is wrong like abc or jpg or 00000 or anything. Click login. Now give your correct otp. See you are logged in. I am just created a video on it and post on YouTube. See it.

I don’t want to lose my time on this stupid plugin. If you need a proof do same as I explained.

Hey @newoabp, I think your review is unfair. Did you disable LastPass as @davidanderson suggested? Or try it in an incognito browser? It definitely is LastPass causing this “error”, not the plugin.

LastPass will try to fix your wrong password so that you log in correctly. That’s their whole business model… The plugin works fine.

@newoabp Have you understood that you have installed the LastPass password manager, saved your password in it, and that it is inserting your password in the login request?

Try it on a site on which you have *not* saved a password. Then you’ll see the difference.

David

I do not installd last pass