Users can by pass google authentication process by opening the admin page in a new tab

[Shabultius]

I installed Two Factor Authentication and enabled it for a single user. When the user logs in using Joomla log in page, it gets redirected to a page so the user enters the verification code. If the user enters the admin page in another tab without entering the verification code, he still is considered as logged in and can access the admin page.

[rbslvivek]

Hello,

In another tab also it will ask 2 factor authentication and its required. Can you share your screen and scenario where you have implemented it ?

[Shabultius]

Hi,

Thanks for the prompt response.

Here is a scenario:

STEP 0: Setting up a single user to have tow-factor authentication when he logins in. As shown in the attached file.

STEP 1: User is not logged in and goes to log in page: my.site.com/administrator/index.php. He needs to enter his Joomla user password. If credentials right, he will be redirect to the second level of authentication to enter google authentication code.

STEP 2: In this page my.site.com/administrator/index.php, he is supposed to enter google authentication code; However, he doesn't enter the code OR he enters wrong code to get "AUTHENTICATION FAILED". He decides to open a new tab, enter an admin URL.

STEP 3: Here is the new tab with this URL:my.site.com/administrator/index.php?option=com_xx&view=users. Logically, when he opens an admin page while not logged in, he has to get redirected to the login/ google authentication page; or receive an error saying, "He is not authorized to see this page because he is not logged in". But he can easily access the page as he is actually logged in.

It seems like the user gets logged in after passing the joomla authentication level and the second level of authentication is just there. Failing the second level of authentication doesn't make any difference.

I have attached all the steps.

Thanks for you help in advance!