Wp-calypso: Login: 2FA via SMS: no push notification when I click "The WordPress mobile app"
Steps to reproduce:
- enable 2FA via SMS for your account
- log in to that same account in the WordPress mobile app
- visit /login and enter your username and password
- you'll be redirected to
/login/smswhere you can see the link "The WordPress mobile app" to receive a push notification - click that link and observe that you won't receive a notification in your phone.
Seems to work fine when you have 2FA enabled via an authenticator app instead.
Maybe related to #14152.
fabianapsimoes
All 5 comments
When you have SMS as a primary method you will never see push notification with the current server side configuration.
gziolo
on 18 May 2017
My initial reaction to this was to create a new endpoint to send or re-send a push notification, but after talking to @scruffian, he suggested:
- Sending a push notification to all users that have push enabled.
- Taking all users with push enabled to
/login/pushby default.
This is basically the solution to #14152, so I don't think we need to do anything here if that is implemented.
drewblaisdell
on 18 May 2017
Currently, sending the push notification is throttled to once every two minutes, so this might be serving a rather obscure use case:
- The user signs in with an account with 2FA enabled.
- They are sent a push notification.
- They dismiss the push notification.
- They click to use a different method.
- Two minutes have passed since step two.
- They have changed their mind and decide to use the mobile app, and click the
TwoFactorActionslink for this. - They receive another push notification.
If step five doesn't happen (which, I would imagine, would be for the majority of users that end up in such a flow, which is also a very small number of users), then the notification is throttled and they would presumably see an error notice, which isn't very helpful.
The existing behavior of wp-login.php does not allow users to "re-send" a push notification. If they click to use Authenticator/SMS instead, there is no path back. If they try to log in again during the push notification throttle period, they are only given the option to log in with Authenticator/SMS.
drewblaisdell
on 1 Jun 2017
I agree with that. It feels like this is involving a rather large amount of work, for little benefit. I understand @scruffian's that, from a design perspective, it'd be good if users could always have access to all forms of authentication available to them. On the other hand, it sounds like supporting multiple push notifications is more work than the user value it provides. Considering all this, I'd call this a won't fix -- but it'll still require changes to remove the link back to /login/push from the /login/sms and login/authenticator.
fabianapsimoes
on 1 Jun 2017
Fixed in #14659.
fabianapsimoes
on 2 Jun 2017
Related issues
aduth
路
3Comments
rickybanister
路
3Comments
spen
路
3Comments
samouri
路
3Comments
rickybanister
路
3Comments
Most helpful comment
I agree with that. It feels like this is involving a rather large amount of work, for little benefit. I understand @scruffian's that, from a design perspective, it'd be good if users could always have access to all forms of authentication available to them. On the other hand, it sounds like supporting multiple push notifications is more work than the user value it provides. Considering all this, I'd call this a won't fix -- but it'll still require changes to remove the link back to
/login/pushfrom the/login/smsandlogin/authenticator.