Two Factor Authentication

Can you describe what you mean by being logged in? If you turn on multi-factor authentication, have a code set up for the user and hit login, there will be two buttons - to validate and to sign out. If you try to go to any of your site's pages, the prompt will come up. Maybe you'll be technically logged in, but you won't be able to interact with the page until the validation is performed. If this is not the behavior you're seeing, please provide a URL where I can see the behavior in action.

On the front-end, the user should be able to go into their Joomla profile to add multi-factor keys. It's usually with an authenticator app or a passkey. That's separate from SCLogin. We don't handle that.

Can you verify that you're hitting the Log In button and not the Sign in with Passkey button?

I went through your registration and understand what you mean.

The initial prompting of the code is in a modal after 9.1.77. However, if the user pushes log in without a code, they're not actually logged in. Joomla redirects to the multifactor authentication page and needs the code. On the OTP modal, SCLogin passes the login flow to the Joomla Users Component to perform the login. We have no control of what the Joomla Users Component does if the user has tried to submit with an empty key.

On a side note, I am working on another thread for multiauth. 9.1.77 caused some other bugs so I am going to have to fix the secret key popping up in a modal in a different way.

The code change that I gave earlier is not going to work properly. There are many pieces that it broke.

After talking with Alex, we've decided for J4.2 and later, we're going to rely on Joomla to handle the mutli-factor authentication more and strip out the MFA functionality in our code that we wrote in earlier versions of SCLogin. Joomla has introduced a more improvements in security that weren't present previously. There's a lot of logic that was put in to keep the user tied to that verification page until a code is entered to prevent sidestepping the auth process. Getting around this is extremely cumbersome in code and not really necessary anymore. That being said, this means SCLogin will not support modal verification codes for multifactor authentication after J4.2. Joomla's MFA system is a lot more robust now.