User can't Log-In

[stoo23]

Firstly, May I offer Best Wishes to All for the 'Festive Season' and may you enjoy the company of good friends, family and loved ones.   

BAD  time to need to ask for help eh ??

I had a long time older member return to the forum recently and at his 'prompting' Re-Attributed his previous posts to the New incarnation of his membership (he no longer was a member and his previous Posts were listed under his name, but as 'Guest')

That process all went smoothly and all has been fine for a few months Until, just the other day 22 Dec', when all of a sudden he is unable to Log-In.
When attempting to, it simply re-directs him to the page all new members get to see but is still not logged in.
I have been able to replicate this behaviour myself trying to log in under his User name and password.

So far, the ONLY thing I can see that Could be an Issue, is somehow, "Two Factor Authentication", has been 'Enabled' on his Account.

I certainly didn't do it and whilst I have Not checked All 900 or so of our members, from a reasonably thorough 'glance', he would seem to be the Only Member with 'TFA' Enabled, so am kinda leaning towards this being the 'issue'.
I just had it confirmed by him that;

I did enable 2FA, I've got The+MASM+Forum:sinsi in Google Authenticator

TBH, I have No idea what changes or is involved on a per member basis when tfa is enabled, so can atm not give him any advice.

As the Admin', I have tried Disabling tfa on his account, to no avail, so am simply wondering what to do.
I can see the tfa info for his membership listed in the members section via phpMyAdmin, so am thinking that may be the place to remove the tfa info, but don't want to 'break' anything by simply deleting the info'.

Also, is there a way to Remove the TFA Option from being applied on users accounts ??
I'm thinking I would Prefer it if there was

EDIT: I just went looking and discovered that 'TFA' IS enabled in the 'Cookies & Sessions' section in Maintenance !!?? tbh, I don't remember setting this that way ??      but hey, it has been a while,.. 

Can I simply Change that to 'Disabled' ?? and if so what other consequences will there be,.. if Any ??

Thanks in advance,
Regards,
Stewart

[Oldiesmann]

Disabling TFA globally won't do any more than disabling it on his account would do (at least for him). If disabling TFA on his account didn't fix it then there's another problem somewhere.

[stoo23]

Hi and thanks but as suggested in my post, I was Unable to Disable it on his account !!

There are no extra warnings or messages for him or myself when trying to log in under his user name, it simply doesn't work.

Nothing has changed, no Mods installed since his return etc
The forum has just been running along happily, till this occurred the other day.

Most odd

[durangod]

Hi i am new here but ill try to help, maybe i can learn something too.  Process of elimination is the best way to attack this i think.

First dont change stuff directly in the db unless you know what you are doing. 

Did you disable 2fa in his account by going to his profile account settings and unchecking the box there?  You should be able to do that as admin, well maybe not im not able to on my test account... hmmmm

Has he tried to reset his password yet using forgot password?

[stoo23]

Hi thanks for your input 

Did you disable 2fa in his account by going to his profile account settings and unchecking the box there?

Well, like you may have also discovered, even as Admin', you Can't Change the users TFA settings on his profile, even With the users Password.

Has he tried to reset his password yet using forgot password?

Not sure, I am checking, but I think, perhaps yes, as when he sent me his password he 'suggested' this was his New Password.

First dont change stuff directly in the db unless you know what you are doing. 

Yeah, well, whilst Not an Expert, I do have some understanding but also have a semi local Helper Admin' who is a Very capable Sys' Admin' and Does know what he is doing, but hey it's Xmas,.. lol so not many people about, I just have Xmas alone so just doing some housework as it were   

[Steve]

Does this occur on more than one browser? When I run into problems like this the first three things I do are:

Clear the browser cache

Try a different browser

Reboot the computer

These may not solve his problem but it eliminates 3 easy potential problem areas.

[stoo23]

Hi,.. yeah, usually MY suggestions to users as well    but in this case, he is a pretty astute and cluey user, of many years standing, and a very good Coder.

I WILL check, but from his communications, I feel he probably Has done so with No joy, so had to email me via the Admin email.

cheers 

[stoo23]

NB: with specific reference to the last couple of posts, it should be noted that I can Replicate the users inability to be able to log in on my machine using his user name and password, so browser and cache etc are Not the issue, as perhaps obviously, I had never logged in as him from this machine ... until I did and experienced the same issue as he is having.

[Kindred]

So, disable 2fa....

[stoo23]

  OK, I will, I just wanted to make sure doing so would be ok 

EDIT: Well, that seemed to go OK and I could successfully Log-In as that User from My End.
Have informed the User, so I guess I will simply See him 'appear' On-Line 

Whilst simply Disabling 'TFA' Site-Wide, Has hopefully, Solved the Problem the user was experiencing, it doesn't really help understanding What the specific cause of the problem was or Why it was an issue. 

Thanks for the help anyway. 

[Sir Osis of Liver]

Is affected member using a vpn?

[stoo23]

NO, not that I am aware of.

Disabling TFA has worked and he is now able to log-in successfully.

I'll Mark this as Solved, because the issue has been fixed.
Might be usefully educational to know what the issue may have been though  if anyone has any ideas.
Be interesting to know if others are effectively using TFA  on individual user accounts.

[Sir Osis of Liver]

Don't know exactly how TFA works, but the description in profile is pretty clear:

Two-Factor Authentication
2FA allows you to have a secondary layer of security by assigning a dedicated device without which no one would be able to log into your account even if they have your username and password

If TFA is enabled, member can only log in to forum with the device that was used to enable TFA.  You were able to replicate the problem because the feature was working as intended, you were trying to log in from a different device.  Wouldn't make sense if you could log into member's account with their username and password, that would defeat the purpose.  The forum must identify the device, I would guess by either dropping an additional or modified cookie, or by matching current IP with enabling IP.  If cookie has been deleted or is corrupt, or if member is using a VPN which presents a different IP, login will fail. 

[Sesquipedalian]

Just to clarify, the user can log into their account on a different device than the one that they use for two-factor authentication. But they must have the TFA device with them in order to do so.

For example, if you set up your phone as your TFA device, you can log into your account from your laptop. But during the login process, you will be asked for the TFA code that appears on your phone. If you don't have your phone with you, you won't be able to see the code on your phone, and therefore you won't be able to enter it on your laptop.

[stoo23]

Thanks for the replies 

I kinda figured MY attempts to Log in as the user Would fail, but the apparent issue that he was also experiencing, was that the Log In 'process', did not continue, beyond initial failure, with no further interaction  regarding the TFA occurring at his end.

As suggested, the user is far from inept and most definitely 'has a clue' and had established the required TFA Device associations, (OR so he believed), so we can only assume Something went awry in the process of TFA establishment.

cheers,
Stewart