Since the original bug report post from February 2023 is locked, I had to create a new topic. Please note this is a follow up to the original topic.

Please consider adding a filter to the private function generate_otp_url in /modules/login-security/classes/model/2fainitializationdata.php, passing the base32 encoded secret as an argument. That way, we can use the email address as the user parameter and site name as the issuer parameter (instead of username and site URL).

Otherwise, please consider changing the default parameters so they follow the common OTPAuth standard.

https://www.ads-software.com/support/topic/filter-for-qr-code/

I wonder if you have any ETA for when the plugin will be updated with the right issuer (i.e., the website name, not Wordfence)? Implementing a filter like the one suggested would also be very welcome since many sites only use email addresses for logging in, not usernames.

If TFA is not active on a required account, then allow them to login but redirect them from any other page to (e.g. your preferred page where they can set it up – make sure it is the WordPress canonical URL for the page so that a redirect loop is not set up):

/wp-admin/admin.php?page=aiowpsec_settings&tab=two-factor-authentication

The problem is I can’t find any information about how to setup such a page on the frontend?

Ideally when users log in for the first time they would be redirected to a page that requires them to setup TFA before they can access the admin system.

At present, it just blocks users from logging in with the following message:

The site owner has forbidden you to login without two-factor authentication. Please contact the site owner to re-gain access.

So I guess there are 2 issues here:

1. It seems like a bug to me that users are blocked from logging in if a page it set in this field (I tried setting it to the admin page for setting up TFA, but that didn’t work)
2. Is there any documentation or guidance on setting up a “preferred page where they can set it up”? I can’t seem to find anything.

<strong>CODE REQUIRED</strong>: Please provide your 2FA code when prompted.

The strange thing is that I wasn’t prompted for a 2FA code. Fortunately, I just need to try to sign in again, and everything works as a charm the second time. I’ve successfully replicated the issue with multiple users on the same site.

I’m currently trying to replicate the issue on a new WordPress install with no other plugins running, something I haven’t succeeded with yet. I therefore don’t know if it’s a bug or just a plugin conflict.

To do this without losing functionality, we had to make some changes to the plugin. Here’s a list of the functionality I’d love to see in an upcoming version of Wordfence to avoid having to change the plugin files after every update. I also believe these functions would be of use for all Wordfence customers.

• Add activation and deactivation action hooks that are triggered when a user activates or deactivates two-factor authentication. That way, we can integrate Wordfence with other plugins (e.g., access restriction plugins).
• Add a filter for QR code parameters so that the provided information reflects the site instead of Wordfence. The registered users will probably have no idea what Wordfence is, so there’s no reason to pass Wordfence as the issuer. It would also be much better to pass the domain as issuer to get the corresponding favicon as an icon in compatible authenticator apps. See https://www.ads-software.com/support/topic/filter-for-qr-code/.
• Add a password prompt for users who want to disable two-factor authentication or replace their recovery codes.
• Remove hardcoded inline styles and reduce the use of the !important attribute.

When I login the WordPress panel using the MFA, I see logs of a 403 error are created.

403 POST /wp-admin/admin-ajax.php

I have removed .htaccess fort testing, and it still happen.

Browser’s console provided the following error message:

CMB2 localized data 
{ajax_nonce: 'hide', ajaxurl: 'https://example.com/wp-admin/admin-ajax.php', script_debug: '1', up_arrow_class: 'dashicons dashicons-arrow-up-alt2', down_arrow_class: 'dashicons dashicons-arrow-down-alt2', …}
ajax_nonce: "hide"
ajaxurl: "https://example.com/wp-admin/admin-ajax.php"
defaults: {color_picker: {…}, date_picker: {…}, time_picker: {…}}
down_arrow_class: "dashicons dashicons-arrow-down-alt2"
script_debug: "1"
strings: {upload_file: 'Use this file', upload_files: 'Use these files', remove_image: 'Remove Image', remove_file: 'Remove', file: 'File:', …}
up_arrow_class: "dashicons dashicons-arrow-up-alt2"
<a href="https://codex.www.ads-software.com/Prototype">Prototype</a>: Object

`

Any thoughts of a solution?

(This is not a support ticket, just general information regarding compatibility.)

The documentation is sadly lacking…..

No settings page? How do I enable a certain TFA for all users ? e.g. turn on email TFA for all users?

https://www.awesomescreenshot.com/image/11011051?key=d03a4dbe7c24f850f324231eee5f195b