The cause of this is that the user managed to visit a cached version of the login page. As a result, the TFA plugin’s JavaScript code was not present on the page, and so the login form was submitted without that code being run and a TFA code being requested.
If your login page is cached by any page cache in your WordPress install, or cacheing on your hosting company or cloud proxy (e.g. Cloudflare), empty (flush) these caches. If the problem persists, then the page is likely cached by the user’s web browser; encourage them to empty their web browser, and to press the “reload” button in their web browser whilst holding the “shift” key on their keyboard (which will tell their web browser to bypass its cacheing). Or you can temporarily ask them to try in a different web browser or “incognito / private” window until the problem passes when the cache expires.
Alternatively, until the problem clears, tell them to add their TFA code on the end of their password. i.e. If their password is some7$thing (please don’t use that as a password!), and the TFA code is 123456, then they should enter the password as some7$thing123456.
N.B. If this problem happens always for everyone, then you have a faulty component on the login page which is causing a JavaScript error and preventing other components (such as our plugin) from being able to run their own code. To identify it, you should deactivate other WordPress plugins and browser extensions in your browser, reload the page, and confirm that the problem is gone. Then you should begin selectively re-activating those components (and reloading the page), a few at a time, to narrow down which one is causing the problem. You can also open your web browser’s JavaScript console (in its developer tools) to see what errors are there to see if you can identify the component from the its filename.
Posted in: Two Factor Authentication