Wordfence 2FA Capability Issues

  • Resolved erichardsmixd

    (@erichardsmixd)


    1 year, 3 months ago

    Hey WordFence team,

    We’ve been making use of the WordFence plugin to provide a smooth 2FA experience across our client websites.

    Currently there’s one part of the plugin which isn’t working very well for us – that’s the WordFence 2FA capabilities.

    We want to provide our clients with control to manage 2FA for their team members, it’s not feasible if they need to reach out to our support team every time they need one of their users’ grace periods resetting or disabling 2FA because a user has lost a device etc.

    I understand there are three custom capabilities created by the plugin:

    • wf2fa_activate_2fa_others
    • wf2fa_activate_2fa_self
    • wf2fa_manage_settings

    In a custom WordPress role, we want to provide a select number of our clients with the wf2fa_activate_2fa_self and wf2fa_activate_2fa_others capabilities, in order to manage 2FA issues for their team (resetting grace periods etc). However we don’t want to provide them with wf2fa_manage_settings because this gives them too much control; they can simply disable 2FA across the entire website.

    Unfortunately it seems there’s a bug at the moment where the wf2fa_activate_2fa_self and wf2fa_activate_2fa_others capabilities are essentially redundant unless the user also has wf2fa_manage_settings. Without the latter capability, they can view all the controls to reset a users’ grace period but it won’t actually let them do so (they receive an error in the UI).

    Please could your team look at tweaking how the capabilities for 2FA are set up so we can provide clients with enough control to deactivate/reset 2FA for other users and reset their grace periods, without needing access to all the administrative settings of WordFence 2FA site-wide.

    Happy to answer any questions you might have!

    Thanks,

    Ed

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @erichardsmixd, thank-you for your observations.

    A case of this did come up in the near past so has already been feature-requested and discussed. If the user doesn’t have access to wf2fa_manage_settings, they shouldn’t see that option. The behavior where they’re unable to reset the grace period for other users without that permission is as currently intended, however.

    Sometimes users with elevated permissions, but not high enough to manage the overall settings of Wordfence, will see the option despite their inability to change the value.

    We have treated this as a feature request to alter that feature’s visibility and possibly add more specific permissions to separate the option seen here from the other Login Security settings. We unfortunately can’t provide precise timescales or ongoing updates here on the forums.

    Many thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Wordfence 2FA Capability Issues’ is closed to new replies.