If you disable all providers, you're still required to revalidate. You can't enable any providers until you do, but you get a fatal error when you try.
Uncaught Error: Call to a member function get_key() on null in two-factor/class-two-factor-core.php on line 742
wait 30 seconds, and refresh. the Revalidate button will not appear, because you don't have a 2fa session. that's the correct behavior
now enable the Dummy provider, and immediately disable it (before the 30 second revalidation period expires)
wait 30 seconds for the period to expire, then reload profile.php again. The Revalidate button will appear, because the WP session data still indicates that it's a 2FA session. that's wrong, and prevents you from enabling any provider until you revalidate. if you try to revalidate, you get the fatal error.
iandunn
commented
1 year ago
Describe the bug
If you disable all providers, you're still required to revalidate. You can't enable any providers until you do, but you get a fatal error when you try.
Introduced in #529. I missed this during testing, but @adamwoodnz discovered it in https://github.com/WordPress/wporg-two-factor/issues/160. His PR https://github.com/WordPress/wporg-two-factor/pull/161/ would fix downstream, but it looks like the root cause is located here.
Steps to Reproduce
_two_factor...usermeta for the userwp-admin/profile.phpRevalidatebutton will not appear, because you don't have a 2fa session. that's the correct behaviorprofile.phpagain. TheRevalidatebutton will appear, because the WP session data still indicates that it's a 2FA session. that's wrong, and prevents you from enabling any provider until you revalidate. if you try to revalidate, you get the fatal error.