Open Closed

Question on 'Require Verified Phone to Sign In' setting #2757


User avatar
0
balessi75 created

Abp Commercial 1.5.3 / Blazor Server / EF / Non-Tiered

Hi, We noticed that when phone verification is required to sign in, the first attempt to save the phone number at login is saved to the database before the phone number is verified. If the number is never verified, say because they typed the wrong number in, the number input recalls the previous value from the database and is then always disabled on the login UI - so the user can never correct the number to be verified.

Is this by design? And if so, I'm just curious about the rational...

Thanks in advance!


3 Answer(s)
  • User Avatar
    0
    berkansasmaz created
    Support Team .NET Developer

    https://docs.abp.io/en/commercial/latest/modules/identity/two-factor-authentication#why-dont-users-receive-a-verification-code-even-2fa-enabled

    Although the 2FA setting is enabled, users may not be able to use 2FA. This is because the user does not have a verified e-mail or phone number. The verification code cannot be sent to an unverified address for security measures. Ensure that Verified label next to email or phone number to ensure that corresponding user can receive verification code.

    2FA cannot be used for unverified phone numbers and email addresses, one must be verified.

    I tested this situation on version 5.2.0-rc.1 and I did not see a problem.

    Note: As far as I know there were a few bugs about this in older versions but the issues have been fixed, FYI.


    Closing the issue. Feel free to re-open or create a new issue if you have further questions related to this topic.

  • User Avatar
    0
    balessi75 created

    Ok, that makes sense for two factor, but what we are actually testing here is the 'Require Verified Phone' option, which requires a verified Phone to sign in. Once verified, the user can sign in - this applies even if two factor is turned off.

    When this setting is turned on, Abp allows the user to verify their phone during the sign in process. So what we are finding is that during the verification process, they get one chance to enter their phone, from there, if they entered the wrong phone, it's saved to the database and can never be updated again. Therefore, the user can never login.

    I've updated the issue title to more accurately reflect the issue.

  • User Avatar
    0
    berkansasmaz created
    Support Team .NET Developer

    Thanks for the explanation and report.

    I agree, I think this is a problem.

    As a result, I am creating an internal issue related to the subject.


    Closing the issue. Feel free to create a new issue if you have further questions.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38