XF 2.2 Two-factor auth and logout behavior


Active member
I've noticed that the two-factor implementation doesn't logout.

I believe that this could be considered a security flaw in the implantation as after logout out the browser is still validated. If I had to login in someone's else computer, logout won't remove the two-factor access and it will login right away without asking the otp.

When you put a valid two factor code the browser keeps validated for an entire month and it requires to stop trusting the device, I believe that there should be an option to automatic stop trusting on logout.
Last edited:
Isn't that the whole point of the checkbox to "Trust device for 30 days" when you enter the two-set authentication? If you don't trust the device, but you still want to log-in, you would choose to not check it.

If you've changed your mind about trusting the device after the fact, you can "untrust" it at any point in your two-step verification options here: https://xenforo.com/community/account/two-step/

Functionally, you could change the label of the "Trust device for 30 days" checkbox to "Trust device after logging out for 30 days".

Long story short is the option is already there for a user to choose how they want to do it (do they want to keep the device trusted after logging out or not).
Top Bottom