Incorrect QR Codes when Activating?

[brianrivet-tilt]

Hi,

I'm seeing weird behavior with this plugin when my users try to activate 2FA. They are trying to use the QR code with Google Authenticator to activate, and when they scan the QR code, they see the name of a different user in Google Authenticator and it isn't taking their authentication codes.

I'm running version 3.2.0 on Craft 4.4.13

[brianrivet-tilt]

Just checking on the status of this.

[roelvanhintum]

We're looking into this. Are you sure the page isn't cached or anything like that? I haven't run into this before.

Edit: Does the problem occur in the control panel, or custom site templates? The getCurrentUserQRCode function just uses the current logged in user.

[brianrivet-tilt]

The problem occurs in the control panel. I had the config set to force 2FA on the backend (it is currently disabled because the client couldn't access the backend). I do not believe that it is cached, but I'm going to confirm with the host to make sure. The site is not load balanced in case that may be a question.

[brianrivet-tilt]

I'm working on verifying if this is the cause, but we do have a cache that happens at the network level. We are using a custom control panel trigger and the network cache is set to ignore urls in that url path, but I noticed that the QR screen uses index.php with a querystring. Is there a way to have it use the same admin path as the rest of the control panel? If not I think we can have the network cache ignore the QR url if it is the same each time.

[roelvanhintum]

The 2fa screen always has the following path which isn't something i can change very easily /index.php?p=admin/actions/two-factor-authentication/verify/login

This would be a change for a new major version, but with Craft CMS having it's own 2fa feature in development, i don't see this happening. See: https://github.com/craftcms/cms/pull/13000

[brianrivet-tilt]

I completely understand. I think we can work around the issue for now, at least until native 2FA gets added in. Thanks!