I don't understand the logic involved with the TFA settings form. I was under the impression that the "Enable TFA" checkbox just specifies whether any of the plugins are available and thus generate the security page however, checking this box forces TFA (regardless of the "Roles required to have set up TFA" all being unchecked) seems to force TFA and automatically logs out the user. So, in my case testing this out as a user that doesn't have TFA setup with the above settings, i get automatically logged out with the fallback help message. I would think this would be the result only if the user's role was set as required to have TFA. I'm using the Twilio SMS as the default with help as fallback although i've tried with other plugins as well and same result. The only way i can get this to work for me is if i initially set "Enable TFA" so i can specify Twilio as the default and then deselect "Enable TFA" and save the form. Only under this scenario can i prevent logout and actually allow the user to setup sms.

I'm on php 7.0.18 but using the recommended Twilio library 2010-04-01 since the version 5 library isn't supported by the module.

If the "Enable TFA" checkbox is designed to force TFA, it clearly needs to indicate its function and therefore... i have no idea what the purpose of the roles field is then....

Can someone please assist with explaining what might be going on here or indicate if there are some known related bugs? I havn't been able to find anything in the issues specifically to this issue but have noticed several related to ui confusion on how a user is supposed to setup TFA if they can't login.

Comments

apmsooner created an issue. See original summary.

apmsooner’s picture

apmsooner commented
Related issues: +#2609090: SMS TFA pretends to be ready when it is not

A sidenote, the Twilio and help form fields should not even be visible if "Enable TFA" is unchecked. The #states property is not setup correctly in the form property to include that as well as the the plugins so the fields show as long as the plugins are set. I can provide a patch to fix that but that begs the question further.... Why does "Enable TFA" without roles required automatically log users out? Well i came across this issue https://www.drupal.org/node/2609090 which appears to maybe be causing the issue as after applying the patch, the site behaves as it should.

Issue has resurfaced regardless of the patch from other issue. This makes no sense but I'm currently limited to the module working only if "Enable TFA" is left unchecked. Again, i have to temporarily enable to set my active plugin and fallback but disable the "Enable TFA" box or it just won't work....

damienmckenna’s picture

damienmckenna
Location TN, USA
commented
Version: 7.x-1.0 » 7.x-1.x-dev