Problem/Motivation

When multiple validation plugin options are available to users, the default plugin must be setup for TFA to work correctly. If another validation plugin is setup without the default, TFA is enabled but not used. Following logins are considered skips and you'll see the "You are required to setup two-factor authentication..." message even when the user is not required to setup two-factor authentication.

Steps to reproduce

Configure at least 2 validation plugins in the TFA Settings form (ex: GA Login and TFA Recovery Code) and set one of them as default. Login and enable TFA with a non-default plugin, skip setting up the default plugin. You'll see that TFA is now enabled. Log out and log back in. TFA will be skipped and you'll see the message about TFA setup being required.

Proposed resolution

Maybe the default plugin is intended to be required with all others only as backup/recovery options, in which case I think TFA should not be considered enabled for the user until the default plugin is setup. The description for the default plugin field should also clarify this.

I'd prefer that the default plugin be optional when other validation plugins are available. If a user wants to use a plugin like email/SMS/security key/etc. over a default like GA Login I think that should be possible. (If we go this direction, the "TFA setup canceled" message when skipping configuration for the default plugin after configuring a different one should change.)

Although a plugin like TFA Recovery Code probably shouldn't be configured alone. Maybe we could add an option for validation plugins to be considered recovery, where at least one non-recovery plugin must be configured for TFA to be enabled?

Issue fork tfa-3277090

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

cantrellnm created an issue. See original summary.

jcnventura’s picture

jcnventura
Primary language English
commented
Version: 8.x-1.x-dev » 2.x-dev

I'd much rather see that instead of having a 'default' plugin, they should be ordered, which I believe was the original idea behind a default plugin.

jcnventura’s picture

jcnventura
Primary language English
commented
Title: Default validation plugin is required rather than preferred » Replace default validation plugin by use priority
damienmckenna’s picture

damienmckenna
Location TN, USA
commented

cantrellnm changed the visibility of the branch 2.x to hidden.

cantrellnm’s picture

cantrellnm commented
Status: Active » Closed (outdated)

After some testing with version 1.9 it seems that TFA now works okay with multiple validation plugins and allows a user to setup a non-default plugin only (with the exception of issue #3478989). Since that was my motivation for opening this issue I'm closing it as outdated. If someone has another reason to replace the default validation plugin with use priority please reopen it.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

This was initially made private but determined by the security team process it could be handled in public.