"validation skipped" value keeps incrementing, locks out users

Open on Drupal.org →

Created on 17 November 2023, 7 months ago

Updated 20 January 2024, 5 months ago

Problem/Motivation

We are in the midst of upgrading a new client's site to Drupal 10. The client hasn't reported any issues on the current Drupal 9 production site, but since we've first created an account, the account's "Number of times validation skipped" value still increments with each login until we reach the limit and are locked out. And we aren't prompted for 2FA in the logins that lead up to being locked out.

There aren't any differences in the method (TOTP) or the application (Google Authenticator) from what client uses, as far as we can see. I know the instructions say "Any fault where TFA validation is not required for a user with TFA provisioned should initially be consider a security issue." - but I wasn't sure how often provisioned users are prompted for TFA. Our client says they only get asked every few months currently.

Steps to reproduce

Add encryption key for Google similar to this article's steps https://cjhaas.com/2017/02/14/adding-two-factor-authentication-to-drupal-8-using-google-authenticator/
Create a user in Drupal
Log in to the site as that user
Configure TFA for/as this user, with TOTP as the method and Google Authenticator as your app (this is the app that our client says all their users configure with)
Try logging in and out of the site (or onto other browsers) 3 times (or the am

🐛 Bug report

Status

Closed: outdated

Version

2.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @jeremy_estes
Comment 7 months ago →
jeremy_estes
Update here our personal account tfa is working now after we switched from TOTP to HOTP as the method for Google to use.

However, still curious if there's any further input here - because our clients' setup appears to use TOTP on production and if it's not supposed to work with TOTP, Google Authenticator should be removed from the list of supported applications for TOTP.
Comment 7 months ago →
🇺🇸United States cmlara
My apologies for the delay in responding.

On the site having trouble: What was the "Default Validation plugin" set to?

Based on what you describe I suspect that it was set to to HOTP. If so the flaw described in the 8.x-1.4 release notes → would be the cause (note: this fix has not been ported to 2.x yet).
Status changed to Closed: outdated 5 months ago5:25am 20 January 2024
Comment 5 months ago →
🇺🇸United States cmlara
With no response I'm going to close this as outdated, based on the probability of this being the same issue as fixed in the 8.x-1.4 release.

If this is in error please re-open the issue with additional details.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024