We use the SC Login module (8.4.6) to login at the frontend of a Joomla (3.9.26) website. Normal users without Joomla 2 way auth can simply login, but every user with 2 way auth ("Authentication in 2 steps"), can't proceed to the 2 way auth code pop up. The screen simply stays as shown in the attachment; no posibility to enter the 2 way auth code. This occurs since we upgraded to J 3.9.26 in different browsers (tested on Firefox, Chrome and Edge) on all devices (tested on PC, Mobile and Tablet). I don't see errors in the apache log files, in Chrome I see this error:
Request URL:https://www.testsite.nl/modules/mod_sclogin/ajax/otpcheck.php
Status Code: 500 Internal Server Error
Referrer Policy: strict-origin-when-cross-origin
So this looks like some code in otpcheck.php is not conforming to one of our security settings. But we need these settings for the security of the website (protection against cross site scripting), GDPR requirements..
If you need more information about this bug please contact me.