search

Automattic / wp-calypso

The JavaScript and API powered WordPress.com
https://developer.wordpress.com
GNU General Public License v2.0
12.41k stars 1.98k forks source link

WordPress.com Desktop App: Login Issues with Application Password for 2FA-Enabled accounts. #89736

Open jorpdesigns opened 5 months ago

jorpdesigns commented 5 months ago

Quick summary

Users cannot log into the WordPress.com Desktop App using a generated application password when Two-step Authentication is active.

Steps to reproduce

  1. Download the WordPress.com Desktop App here (if you haven't): P7jrAc-3-p2
  2. Add a New Application Password to a WordPress.com account with Two-step authentication enabled.
  3. Attempt to log in to the 2FA-enabled account from the desktop app, using the account username and application password created above.

What you expected to happen

I expect to be logged in my account.

What actually happened

An "Oops, that's not the right password. Please try again!" error message appears consistently and it persists even after recreating the application password. This issue occurs with or without the spaces in the application password.

6pJile.png

Impact

Some (< 50%)

Available workarounds?

No but the platform is still usable (log in from a browser instead)

Platform (Simple and/or Atomic)

No response

Logs or notes

Issue reported in 8078380-zen

github-actions[bot] commented 5 months ago

Support References

This comment is automatically generated. Please do not edit it.

mrfoxtalbot commented 5 months ago

I can replicate this issue, @jorpdesigns, thank you for the report. This is where I get stuck when I try from my account:

Screenshot 2024-04-23 at 12 20 53

This is indeed a blocker but I am not sure what our plans for the Desktop App are. Do we have a team working on this that could take a look, @ebinnion? Thank you!

dsas commented 5 months ago

@mrfoxtalbot was that using an application password? #81364 has been open for a while specifically about security keys preventing login.

mrfoxtalbot commented 5 months ago

I knew I had seen this somewhere, thank you @dsas. I had even added a comment https://github.com/Automattic/wp-calypso/issues/81364#issuecomment-1962272348 in February :S

Closing this as duplicate.

jorpdesigns commented 5 months ago

@dsas The login in this report uses an application password while the login in #81364 is specifically about security keys. Not sure if both issues are related or using the same logic but thought to clarify.

PS: You would need to set up and use an application password to reproduce the bug in this report. I suspect @mrfoxtalbot may have entered the actual account password before being prompted to use a security key (explaining why he got a different screen).

dsas commented 5 months ago

I'm unsure if they're related or not, let's keep both open to ensure both scenarios get checked.

dsas commented 2 weeks ago

FWIW I can reproduce this specific issue with the desktop app, I am using an app specific password and the (non-a8c) account does have a security key, but I'm not receiving a security key prompt.

obenland commented 1 week ago

@mrfoxtalbot How many users are affected by this? It feels odd for this to be a BLOCKER level issue

obenland commented 2 days ago

Downgrading priority since we've only gotten limited user feedback on that