No, wrong passwords aren’t accepted

Did you type in a wrong password for testing purposes, and find that it seemed to be accepted?

This is not related to the TFA plugin. You have a password manager extension installed in your web browser, with the correct password saved in it. It has automatically replaced your wrong password with the right one from its saved store. This behaviour has been observed and confirmed by several users. You can verify it by using the web developer tools in your browser to look at the HTTP data sent to WordPress, and observe which password is actually in it. You can also open a fresh web browser with no such extension in it to re-test.

Note that the two factor authentication plugin has no mechanism to compare or approve passwords; this is done by WordPress core. If the wrong password is sent, then this is handled by WordPress, and the login will not proceed.

(Please don’t post replies to this “sticky” topic – open your open topic instead).