2FA Stopped Working

[webtek]

Noticed this quite by accident 'Secret Key' is shown but no longer required i.e. can login without inputting anything.

2FA is enabled (Google) both in plugin and for user (configures/accepts correctly and produces one-time emergency passwords) but the 'Secret Key' is not needed and throws no error and just logs in.

Have tried without any success:

Changed username & password

Disabling/re-enabling both in plugin and user account

Disabled/re-enabled in phpmyadmin

Re-installed J3.10.3 again over itself via update.

Even upgraded to J4.0.4

However created a new user and 2FA works fine. But then all articles previously written are no longer authored correctly. I then changed user/name of the original account and then changed the 'new user' name/login to the original - then the 2FA no longer works once again with this new account. Author name changed to the modified original user any way so wouldn't have been a great success anyway. However thought it proved issue with user/name.

So after restore added new user (2FA works) and deleted original user - so no author for articles. So I changed the 'new user' ID in phpmyadmin back to the ID of previous deleted to try and retain the article author - whilst this worked and gave the author back the 2FA fails again with Secret Key no longer required this new user. Problem then not only with username but user ID also.

This seems to work. So a restore - new user - disable old user - then batch change author names in phpmyadmin from old to new user keeps 2FA working correctly and also correct author names - but then obviously any new articles will by default have the new user name. So then changed orinal user name and then change new user name back to old user name - ran another query to update article authors to the new user name (which is now same as original). It works - 2FA now works with new user and new ID (with old user name) and articles are as per original author name.

What’s going on here? Fortunately I have backups and have spent ages trying all this restoring many times to get to this point. But really all I would like to do is to be able to fix the 2FA issue with original account.

Tearing out what little hair I have left- this has worked flawlessly for a long time. I have other sites that 2FA works as it should. But tried another this morning and the secret key issue is there also. So I really do need to get to the bottom of this. But at present seems beyond my scope – or I’ve overlooked the obvious. Ideas (and even better resolutions) appreciated.

[Per Yngve Berg]

Have you tried to do a new setup of 2FA for the user?

[webtek]

Yes. Disabled and re-enabled thus resetting the Google Authenticator incl. deleting resetting on mobile. All goes through motions fine - but then even though the secret key box is available there is no need to input anything. In over 10 years I've never experienced this!