Can access CP without 2FA with ForceBackEnd set to true

[amygtownsend]

Description of issue

With ForceBackEnd set to true in the config (and VerifyBackEnd set to true as well), I would expect the following:

After logging in, I see the page for setting up 2FA. If I skip the 2FA set up and then access the CP by URL, I am logged out and redirected to the CP log in page.

However, what happens instead is:

After logging in, I see the page for setting up 2FA. If I skip the 2FA set up and then access the CP by URL, I can see the CP and am logged in. If I go to the 2FA page in the CP, I can see that I don't have 2FA enabled.

Additional context

• I have confirmed that both VerifyBackEnd and ForceBackEnd are set to true and the rest of the config uses default values.
• The twofactorauthentication_user database table shows that dateVerified is null in the user's record as expected. The issue persists after deleting the user's record in the table.
• This issue is happening in both local and staging environments using an admin account.

Craft version: 3.5.19.1 Plugin version: 2.9.0

[roelvanhintum]

@amygtownsend thanks for the issue and clear description! I performed the same steps, but could not reproduce this behavior. Do you have some info on maybe other plugins or custom modules?

[roelvanhintum]

Note: I tested this on craft 3.6.12.1 and 3.6.13

[amygtownsend]

@roelvanhintum Thank you for checking this out! After disabling all of our custom modules, I'm no longer seeing the issue. This can be closed out!