Open stronenv opened 1 year ago
Thanks for the report @stronenv, when you disabled 2FA was this shortly after it being enabled?
Hi @pkevan! Yes, it was shortly after. I did disable it on another device, though, after logging out and back in again.
Thanks for the extra details - we'll investigate further.
@iandunn Do you think it makes sense if we implement the first suggestion Second confirmation with a "Are you sure?" prompt
first and leave the second one in iteration 2
?
a "Are you sure?" prompt
That seems prudent 👍🏻 , but not necessarily high priority IMO, since it's easy to turn back on, and there are several status indicators to make it obvious when it's off.
password or 2FA code
🤔 We already have this in the revalidation process. It sounds like it maybe wasn't triggered in this case because of the time window where it's not required (ala sudo
mode).
If not, then that seems like it'd indicate a bug w/ the existing code that should be fixed instead.
Maybe I missed something though?
Possibly related https://github.com/WordPress/two-factor/pull/578
🤔 We already have this in the revalidation process. It sounds like it maybe wasn't triggered in this case because of the time window where it's not required (ala sudo mode).
Yes, I think this might be the case in the 2nd device, since the time window would start from log in.
When disabling 2FA, you're not asked to confirm by entering a 2FA code, password, or asked to confirm.
Suggested improvements for disabling 2FA: