Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Currently, with TFA enabled, the number of times a user without having setup tfa validation can login (appears to be ) set to 3.
Admins can configure value to very large number at admin/config/people/tfa
Steps to reproduce
Go to admin/config/people/tfa
Set Skip Validation to any large number.
Proposed resolution
Set max limit to 50 for skipped validations
User interface changes
No changes
API changes
No changes
Data model changes
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | 3263289-set-upper-limit.patch | 652 bytes | codepress |
Issue fork tfa-3263289
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3263289-set-upper-limit
changes, plain diff MR !7
Comments
Comment #3
codepress commentedComment #4
codepress commentedComment #5
jcnventuraDuplicate of #3315549: Set an upper limit to TFA Skip Validations, which implemented a better fix, and gave credit to the original reporter of this problem in a security issue that was opened and closed before this issue was created.