We're trying to evaluate 2fa options for Craft and had questions regarding this plugin's exact functionality. It's using EVENT_AFTER_LOGIN to create the redirect, but would it prevent the execution of controller actions, for example?

I see in issue #22 there's a reference to "in depth security tests", but haven't seen exactly what that entails. Thanks.

None admin user given permission to manage other craft user seeing 500 error when adding two-factor Authentication as a column in EVENT_SET_TABLE_ATTRIBUTE_HTML

Error:
[error][Twig\Error\RuntimeError] yii\base\UnknownPropertyException: Getting unknown property: craft\elements\User::hasTwoFactorAuthentication in
/vendor/yiisoft/yii2/base/Component.php:155

Fix description:
If a user given access to editUsers and have permission to the accessPlugin-two-factor-authentication, they should see what admin is seeing.

Fixes 1: Allow none admin who can editUsers see the two-factor authentication column without an 500 error

if( $event->attribute == 'hasTwoFactorAuthentication' 
 && $currentUser->can('editUsers')
 && $currentUser->can('accessPlugin-two-factor-authentication') )

Optional Fixes 2: Allow none admin who can editUsers to disable the two-factor for other user

$currentUser = Craft::$app->getUser()->getIdentity();
if( $currentUser->can('editUsers')
 && $currentUser->can('accessPlugin-two-factor-authentication')
 && !$context['isNewUser'] ){

$currentUser = Craft::$app->user->getIdentity();
if ($currentUser->can('editUsers') && $currentUser->can('accessPlugin-two-factor-authentication')) {

The plugin will fail if userSessionDuration is set to 0 or false in the general.php config. I'm getting:

Exception: DateInterval::__construct(): Unknown or bad format (PT-1S) in .../vendor/born05/craft-twofactorauthentication/src/services/Verify.php:52

If I set userSessionDuration to a positive number, it works.

The craftCms config value of rememberedUserSessionDuration being set to false instead of a time (eg. 'P1D') causes the following php error.

Exception: DateInterval::__construct(): Unknown or bad format () in /var/www/craft/plugins/twofactorauthentication/services/TwoFactorAuthentication_VerifyService.php:41
(see source)

Perhaps a sane default value for $sessionDuration when rememberedUserSessionDuration is false would be good? A few hours or a day perhaps?

Is the user secret being initially set to their email address intentional? would it not be more secure to use the user's UID or to generate a random string?

When the time out dialogue appears asking to reenter your password there is no way to enter the 2FA code again so although the password is correct and the dialogue disappears to show the CP again, the user is not actually logged in. A click to another page then redirects to the log in page.

I might be missing something obvious here, but if a user decides to remove 2fa, how do i know if the user has done this? I currently send the user to a 2fa code form, but if the user has decided to disable 2fa, how do i detect this and allow them to bypass the 2fa form?

Hi there!

Will this plugin receive an update for Craft 4? Built-in Craft 4 support for 2FA has been postponed until at least Craft 4.1, so this plugin is still relevant for us.

It would be nice to have a config option that lets me disable the 2FA login step. This would be useful when working in development environments so I don't have to manually disable the plugin every time I sync a database from production.

is the downloadurl in release.json wrong?

"downloadUrl": "https://github.com/born05/craft-assetusage/archive/1.0.1.zip",

i got the assetusage plugin when i tried to update

When you want to disallow access to the homepage e.g: domain.com/ without path,
users will get redirected to the verification page but can manually go back to the homepage without verification.

Not really an issue, more of a question, but any ideas of when a stable release might happen for the Craft 3 version?

We want to use this for a client of ours but aren't too keen on using software which is still in beta as we'd like to avoid as many bugs as possible. Looks like a great plugin though, good work!

Good Evening, Im having a similar issue to the user with Google Authenticator. I have renamed my site, however it shows as CraftCMS and email address in the authenticator and not the company/website system name?

Any help would be appreciated.

Kind regards

Nick

I have a website running two-factor authentication.

When I click the disable 2FA in the back-end for a user I get the following error:

SQLSTATE[23000]: Integrity constraint violation: 1452 Cannot add or update a child row: a foreign key constraint fails (passwordprotectedwebsite.twofactorauthentication_session, CONSTRAINT twofactorauthentication_session_sessionId_fk FOREIGN KEY (sessionId) REFERENCES sessions (id) ON DELETE CASCADE) The SQL being executed was: INSERT INTO twofactorauthentication_session (userId, sessionId, dateVerified, dateCreated, uid, dateUpdated) VALUES (3, 0, '2019-02-28 12:06:45', '2019-02-28 12:06:45', 'f1410a70-0a99-41bf-8af9-f8c59de7c492', '2019-02-28 12:06:45')

I'm running:

• Craft Pro 3.1.15
• PHP 7.2.10
• Two-Factor Authentication 2.1.0

How do you set the label name in the google authenticator app?
When i scan the qr code, it sets the code number label to "Craft CMS ([email protected])"
Can i change this to the company name?

Hi

I'm not sure if I'm missing something, but no matter what I do, I never see the 2-factor verification page. I just get logged in straight to the dashboard.

• I have setup the config file as per the example.
• verifyBackEnd is true
• I have completed the setup process with Google Authenticator on the settings page.
• I see the green "Your account is secured" text on the settings page.

If I log out and log back in, I go straight to the dashboard. No 2-factor verification.

If I delete the user's record from the twofactorauthentication_user database table and try logging in again, I still go straight to the dashboard. No 2-factor authentication.

The user's record in the twofactorauthentication_user database table does not get recreated until I return to the plugin's settings page.

I have tried with both an admin account and a non-admin account.

I am testing locally at the moment, which I assume is OK? I can't think of anything else to try. Am I missing something?

Thanks!

Craft version: 3.6.11.2 (also tested with 3.6.6)
Plugin version: 2.8.1

Using this setting value in my config/general.php file:
'userSessionDuration' => 0, // users will stay logged in as long as its browser is open
https://docs.craftcms.com/v3/config/config-settings.html#usersessionduration

I get this error:
Exception DateInterval::__construct(): Unknown or bad format (PT-1S)

born05/craft-twofactorauthentication/src/services/Verify.php @ line 54:
$minimalSessionDate->sub(new DateInterval('PT' . $sessionDuration . 'S'));

craft-twofactorauthentication version: 2.2.0

Hi there,

Within Craft 4, this plugin seems to trigger a warning Element query executed before Craft is fully initialized. I have converted this warning to an exception to see the cause of the error. This is the stack trace that is being thrown.

2022-06-27 15:39:55 [web.ERROR] [yii\base\Exception] Element query executed before Craft is fully initialized. {"trace":["#
0 /app/vendor/yiisoft/yii2/db/QueryBuilder.php(227): craft\\elements\\db\\ElementQuery->prepare(Object(craft\\db\\mysql\\QueryBuilder))","#
1 /app/vendor/yiisoft/yii2/db/Query.php(157): yii\\db\\QueryBuilder->build(Object(craft\\elements\\db\\UserQuery))","#
2 /app/vendor/yiisoft/yii2/db/Query.php(287): yii\\db\\Query->createCommand(Object(craft\\db\\Connection))","#
3 /app/vendor/craftcms/cms/src/db/Query.php(180): yii\\db\\Query->one(NULL)","#
4 /app/vendor/craftcms/cms/src/elements/db/ElementQuery.php(1451): craft\\db\\Query->one(NULL)","#
5 /app/vendor/craftcms/cms/src/elements/User.php(539): craft\\elements\\db\\ElementQuery->one()","#
6 /app/vendor/yiisoft/yii2/web/User.php(697): craft\\elements\\User::findIdentity(1)","#
7 /app/vendor/craftcms/cms/src/web/User.php(500): yii\\web\\User->renewAuthStatus()","#
8 /app/vendor/yiisoft/yii2/web/User.php(198): craft\\web\\User->renewAuthStatus()","#
9 /app/vendor/born05/craft-twofactorauthentication/src/services/Request.php(24): yii\\web\\User->getIdentity()","#
10 /app/vendor/born05/craft-twofactorauthentication/src/Plugin.php(62): born05\\twofactorauthentication\\services\\Request->validateRequest()","#
11 [internal function]: born05\\twofactorauthentication\\Plugin->born05\\twofactorauthentication\\{closure}(Object(yii\\base\\Event))","#
12 /app/vendor/yiisoft/yii2/base/Event.php(312): call_user_func(Object(Closure), Object(yii\\base\\Event))","#
13 /app/vendor/yiisoft/yii2/base/Component.php(642): yii\\base\\Event::trigger('craft\\\\services\\\\...', 'afterLoadPlugin...', Object(yii\\base\\Event))","#
14 /app/vendor/craftcms/cms/src/services/Plugins.php(275): yii\\base\\Component->trigger('afterLoadPlugin...')","#
15 /app/vendor/craftcms/cms/src/base/ApplicationTrait.php(1471): craft\\services\\Plugins->loadPlugins()","#
16 /app/vendor/craftcms/cms/src/web/Application.php(105): craft\\web\\Application->_postInit()","#
17 /app/vendor/yiisoft/yii2/base/BaseObject.php(109): craft\\web\\Application->init()","#
18 /app/vendor/yiisoft/yii2/base/Application.php(204): yii\\base\\BaseObject->__construct(Array)","#
19 [internal function]: yii\\base\\Application->__construct(Array)","#
20 /app/vendor/yiisoft/yii2/di/Container.php(419): ReflectionClass->newInstanceArgs(Array)","#
21 /app/vendor/yiisoft/yii2/di/Container.php(170): yii\\di\\Container->build('craft\\\\web\\\\Appli...', Array, Array)","#
22 /app/vendor/yiisoft/yii2/BaseYii.php(365): yii\\di\\Container->get('craft\\\\web\\\\Appli...', Array, Array)","#
23 /app/vendor/craftcms/cms/src/Craft.php(53): yii\\BaseYii::createObject(Array, Array)","#
24 /app/vendor/craftcms/cms/bootstrap/bootstrap.php(239): Craft::createObject(Array)","#
25 /app/vendor/craftcms/cms/bootstrap/web.php(40): require('/home/tde/domai...')","#
26 /app/public/index.php(11): require('/home/tde/domai...')","#
27 {main}"],"memory":2205512,"exception":"[object] (yii\\base\\Exception(code: 0): Element query executed before Craft is fully initialized. at /app/vendor/craftcms/cms/src/elements/db/ElementQuery.php:1206)"}

A potential solution would be to wrap the code in an init event. This ensures that the code is executed right after Craft is initialised (the moment all plugins are loaded).

\Craft::$app->on(WebApplication::EVENT_INIT, function () {
  // Code
});

After upgrading from 2.2.0 to 2.6.1 and changing frontEndPathWhitelist to frontEndPathAllow + frontEndPathBlacklist to frontEndPathExclude (following breaking change since 2.6.0) I got this error on front-end:

PHP Notice – yii\base\ErrorException
Array to string conversion

/vendor/born05/craft-twofactorauthentication/src/services/Request.php
if ($this->isRegex("/$path/i")) { // line 150

Reverting to frontEndPathBlacklist + frontEndPathBlacklist fix this. I am wrong or I still was supposed to use allow/exclude in favor of whitelist/blacklist like I did?

PHP 7.1 hasn't got as much support as 7.0

When trying to use the 2fa for the backend I get a 'could not verify your data' after submitting the 2fa code. When looking in the post data I also do not see the csrf token being posted along with the 'authenticationCode' parameter. Did something change? It worked before.

Regards

Description of issue

With ForceBackEnd set to true in the config (and VerifyBackEnd set to true as well), I would expect the following:

After logging in, I see the page for setting up 2FA. If I skip the 2FA set up and then access the CP by URL, I am logged out and redirected to the CP log in page.

However, what happens instead is:

After logging in, I see the page for setting up 2FA. If I skip the 2FA set up and then access the CP by URL, I can see the CP and am logged in. If I go to the 2FA page in the CP, I can see that I don't have 2FA enabled.

Additional context

• I have confirmed that both VerifyBackEnd and ForceBackEnd are set to true and the rest of the config uses default values.
• The twofactorauthentication_user database table shows that dateVerified is null in the user's record as expected. The issue persists after deleting the user's record in the table.
• This issue is happening in both local and staging environments using an admin account.

Craft version: 3.5.19.1
Plugin version: 2.9.0

We've recently implemented this plugin and set forceBackEnd to true.

Admin's or other users with the "Impersonate Users" permission are now asked to either setup 2FA or enter the user they're impersonating's verification code.

Is there a way to subvert this when using the CraftCMS impersonate user option?

Steps:

1. Composer require "born05/craft-twofactorauthentication" (installs version 2.0)
2. Activate via control panel
3. Website breaks and shows error:

Call to undefined method craft\elements\User::authData()
in /var/www/localxxxxx.nl/vendor/born05/craft-twofactorauthentication/src/services/Verify.php

Liking what you're doing with this plugin - keep up the great work!
I'd be keen to see the 3.1 branch get over the line and merged + released.

In the mean time i am directly installing from the latest commit in your craft-3.1 branch; if anyone else with this issue wants to do the same, here's what i added to my composer.json file:

  "repositories": [
    {
      "type": "vcs",
      "url": "https://github.com/born05/craft-twofactorauthentication"
    }
  ],

and

"born05/craft-twofactorauthentication": "dev-craft-3.1#b5bbd6347df74ae4f5814d30225a9fa0da4362aa"

Also complaints about csrf tokens can cause a broken flow.

Hi, i would like to see some examples on how to enable 2FA for the frontend.

Especially for the frontEndPathWhitelist and/or blacklist settings.

You provide already two example templates for settings and verify. Which of them is the " 2FA form" you refer to in step 1.

When installing 2.7.0 for the first time I'm getting this error:

Exception: Class 'born05\twofactorauthentication\records\Session' not found (/Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/born05/craft-twofactorauthentication/src/migrations/Install.php:19)
#0 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/db/Migration.php(52): born05\twofactorauthentication\migrations\Install->safeUp()
#1 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/db/MigrationManager.php(232): craft\db\Migration->up(true)
#2 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/base/Plugin.php(140): craft\db\MigrationManager->migrateUp(Object(born05\twofactorauthentication\migrations\Install))
...

is it possible to use this for front end login forms?

I installed 2.6.3 because I was having issues with 2.7.0 (see #46) onto Craft 3.5.13. I am being shown the field to enter my code:

However, the server is returning a 400 response on every submit. Looking into the web.log, I see errors like this:

2020-10-15 17:31:37 [-][-][-][error][yii\web\HttpException:403] yii\web\ForbiddenHttpException: Login Required in /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/yiisoft/yii2/web/User.php:456
Stack trace:
#0 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Controller.php(267): yii\web\User->loginRequired()
#1 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Controller.php(154): craft\web\Controller->requireLogin()
#2 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/yiisoft/yii2/base/Controller.php(178): craft\web\Controller->beforeAction(Object(yii\base\InlineAction))
#3 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Controller.php(189): yii\base\Controller->runAction('login-process', Array)
#4 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/yiisoft/yii2/base/Module.php(528): craft\web\Controller->runAction('login-process', Array)
#5 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Application.php(274): yii\base\Module->runAction('two-factor-auth...', Array)
#6 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Application.php(577): craft\web\Application->runAction('two-factor-auth...', Array)
#7 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/craftcms/cms/src/web/Application.php(253): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#8 /Users/reinhard/Work/Clif Bar - Next/craft-cms/vendor/yiisoft/yii2/base/Application.php(386): craft\web\Application->handleRequest(Object(craft\web\Request))
#9 /Users/reinhard/Work/Clif Bar - Next/craft-cms/web/index.php(21): yii\base\Application->run()
#10 /Users/reinhard/.composer/vendor/laravel/valet/server.php(191): require('/Users/reinhard...')
#11 {main}
2020-10-15 17:31:37 [-][-][-][info][application] $_GET = [
    'p' => 'admin/actions/two-factor-authentication/verify/login-process'
]

$_POST = [
    'authenticationCode' => '504287'
]

I am using 1Password as my 2FA client. It accepted the QR code generated by this package without issue. Any suggestions?

It looks like this plugin only works for CP access - is that correct? Is it possible to define your own templates for setting up the 2FA? I'd love to be able to use this for our users that login to a subscription-only portion of our Craft site, rather than just admins/CP users.

Unsure why, but when our website is behind AWS CloudFront it causes a redirect loop back to the /admin/login page rather than going to the force enable 2FA page when we have forceBackEnd=true.

When we test locally or direct to the ElasticBeanstalk instance, it all works.

Do you have any insight or advice on what might be causing this or how we might approach debugging it?

I created this translation file (in /translations/nl/app.php)
Posted here as a help for Dutch translation in the plugin itself.

<?php

return [
    'Why two-factor authentication?' => 'Waarom tweestapsverificatie?',
    'With two-factor authentication you can improve protection of your account, because your phone (or other device) is needed as a second step during login.' => 'Met tweestapsverificatie kun je de bescherming van je account verbeteren, omdat je telefoon (of een ander apparaat) nodig is als tweede stap tijdens het inloggen.',
    'When enabled, login has an extra required step: First you login as usual, second you need to enter a code generated by your personal device.' => 'Na inschakeling bevat het inloggen een extra verplichte stap: eerst log je in zoals gewoonlijk, daarna moet je een code invoeren gegenereerd op je persoonlijke apparaat.',
    'Your account is secured.' => 'Je account is beveiligd.',
    'Two-factor authentication is enabled for your personal account.' => 'Tweestapsverificatie is ingeschakeld voor je persoonlijke account.',
    'Disable two-factor authentication' => 'Tweestapsverificatie uitschakelen',
    'To disable two-factor authentication, click the button below.' => 'Klik op de knop hier beneden om tweestapsverificatie uit te schakelen.',
    "I don't want two-factor authentication" => 'Ik wil geen tweestapsverificatie',
    'Step 1: Download app' => 'Stap 1: Download de app',
    'Install a TOTP app like {linkOpen}Google Authenticator{linkClose} to set-up.' => 'Installeer een TOTP app zoals {linkOpen}Google Authenticator{linkClose} om te beginnen.',
    'Step 2: Setup your device with your personal secret' => 'Stap 2: Configureer je apparaat met je persoonlijke geheim',
    'To turn on two-factor authentication for your personal account, please use either the secret code or the QR code.' => 'Gebruik de geheime code of de QR code om tweestapsverificatie voor je persoonlijke account aan te zetten.',
    'Your secret code:' => 'Je geheime code:',
    'Your QR code:' => 'Je QR code:',
    'Make sure to setup using time-based authentication.' => 'Controleer dat je configureert met tijdsgebaseerde authenticatie (time-based authentication).',
    'Step 3: Verify the code from your device' => 'Stap 3: Controleer de code van je apparaat',
    'Please enter the code from your device, do note it changes every few seconds.' => 'Voer de code in van je apparaat. Let op: dit verandert iedere zoveel seconden.',
    "Authentication Code" => 'Authenticatiecode',
    "Verify" => "Controleren",
    'Two-Factor Authentication' => 'Tweestapsverificatie',
    "Enter the authentication code from your phone." => 'Voer de authenticatiecode in van je telefoon.',
    "Experiencing any issues? Contact your administrator for help." => 'Kom je problemen tegen? Neem contact op met je systeembeheerder voor hulp.',
    'Go to settings' => 'Ga naar instellingen',
    'Two-factor authentication is not turned on for your account!' => 'Tweestapsverificatie is niet ingeschakeld voor je account!',
    'Secure your account' => 'Beveilig je account',
    '2-Factor Auth' => '2-Staps verificatie',
    'Enabled' => 'Ingeschakeld',
    'Not enabled' => 'Uitgeschakeld',
    'Authentication code is invalid.' => 'Authenticatiecode is ongeldig',
    'Logged in.' => 'Ingelogd.',
    'Spaces are not allowed in the authentication code.' => 'Spaties zijn niet toegestaan in de authenticatiecode',
    'Two-factor authentication status' => 'Tweestaps authenticatie status',
 ];

When attempting to login as a user from the CP the following error is thrown

Unauthorized

User is not permitted to perform this action

from the action admin/actions/two-factor-authentication/settings/force.

Versions:

• Craft Pro 3.4.5
• Two-Factor Authentication 2.4.0

At the moment the enabling/disabling feature in the user editor is only visible for admins. do you see any chance to implement a feature to allow certain groups (these who are taking care of the community) to disable/enable the 2fa in the backend?

Either as a setting in the two-factor-authentication.phpsetting by adding the group id, or by using the regular permissions setting of craft?

I'm probably missing something but it seems like I'm able to get around 'Verify Code' screen after logging in simply by returning to the url that initiated the login.

Example:
This URL requires login: /protected
After entering credentials I'm redirected to /protected/verify
Returning to /protected lets me see the page

My config file:

return [
    'verifyFrontEnd' => true,
    'forceFrontEnd' => true,
    'forceBackEnd' => false,
    
    'verifyPath' => '/protected/verify',
    'settingsPath' => '/protected/two-factor-settings',
    'frontEndPathWhitelist' => [
        '*' => [],
    ],
    'frontEndPathBlacklist' => [
        '*' => ['/protected'],
    ],

Craft CMS 3.1.34.3
Two-Factor Authentication Plug-In: 2.2.0

Hi,

I'll setup this plugin for a client and it works great, except that it looks like the plugin ignores 'rememberedUserSessionDuration'. This is set to 1 week for my client but when two factor auth is enabled for a user they are logged out after an hour. Even if I'll set 'userSessionDuration' to 1 week the user are logged out after 1 hour. If I'll check the cookies of the client I'll see the expire date is 7 days later. Any idea why the user is logged out so fast?

My duration settings

// Durations 'defaultTokenDuration' => 604800, // 1 week 'purgePendingUsersDuration' => 0, // disable 'verificationCodeDuration' => 604800, // 1 week 'rememberedUserSessionDuration' => 604800, // 1 week 'userSessionDuration' => 604800, // 1 week

Server time setting GMT +1 Amsterdam
Craft time setting UTC + 1 Amsterdam

Hey,

Any ETA for plugin store?

We have userSessionDuration set to 7 days for a few reasons.
With 2FA installed, it seems like this has changed to 1 hour (best guess).

Any ideas? Is this intentional?

Thanks for this plugin! Could you explain what these config options do?

'verifyFrontEnd'
'forceFrontEnd'
'forceBackEnd'

Hey. I can't log in after activating 2FA. The process to activate works correctly then I log out. After logging in, I'm redirected to the 2FA input but clicking verify shows the progress indicator for about 200ms then nothing happens.

I've attached the logs.
web-404s.log
web.log

The plugin is logging active users out roughly every 10 minutes, without warning or saving progress. I would think if the user was active it wouldn't timeout. However, currently the plugin will kill the session while the user is editing an entry. There's no way of knowing this until the page refreshes, so our editors are continuing to make edits, but since the session is dead autosave is no longer saving their progress. So whenever they try to save manually, they get redirected to login with any work they've done since the session ended lost.

Ideally the session would not get interrupted if the user is active... Or at least auto-saving changes before killing it would be helpful.

Would it be possible for admins to enforce two factor authentication on users?

`

`

I tried to install the plugin via the plugin store, composer add it but I can't install it.

As an admin, when I disable 2FA for a user, the page reloads.
When a user belongs to a user group, this group is now unchecked. So if I save the current user, it is removed from that user group.

However when I reload the page, the user is correctly in the user group (and is correctly saved).

Maybe a bug within Craft?

*ps: thanks again for this great plugin

Is this scheduled to support the >= 3.1 updates anytime soon?

As @lukebaily indicated, it would be helpful if user admins can reset the Authenticator from the CMS.
Currently we have to do this manually via the database, which is not practical for our site with 100+ users.

This is meant as an enhancement suggestion:
I often find my self trying to log-in with a "just in that moment"-expired 2FA code. Using a password manager that automatically copies the 2FA code to my clipboard and me just pasting it in, without knowing how much time there is left.

As far as I can tell some other services already do something like that where they allow a recently expired key to still be valid.

Would be nice to have something like:

$current = $totp->verify($otp);
$delayed = $totp->verify($otp, time() - 5);

as validation.

Where 5 would ideally be set via a settings page of the plugin itself (or config file).

I've just updated to Craft 3.1, and got this errors:

• Can't pass the Two-Factor Authentifcation on CP ;
• On front-end: Call to undefined method craft\elements\User::authData() ;

After reading the 3.1 changelog, I can see:

• Removed craft\elements\User::authData()

Please can you fix this? Thank you!

Related to verbb/default-dashboard#4, it seems this plugin may not be triggering the built-in Yii event \yii\web\User::EVENT_AFTER_LOGIN after a successful login. This means that a lot of functions that rely on this may not be triggered when using this plugin.

More of a priority, but things like Commerce (https://github.com/craftcms/commerce/blob/develop/src/Plugin.php#L304) rely on this behaviour to do certain tasks, so I'd say its relatively important.