Just noticed this. The check for a valid 2FA code needs to include the existence of such a code in the database, rather than a check for whether the actual form field has a value. So if they have 2FA set up and don't enter a code, the login method should throw ASAP.
Just noticed this. The check for a valid 2FA code needs to include the existence of such a code in the database, rather than a check for whether the actual form field has a value. So if they have 2FA set up and don't enter a code, the login method should throw ASAP.