I am having a serious issue with duo on my multisite. My users are unable to login to anything other than network admin panel.

Here is the issue.

• Login to network admin i.e example.com
• Activate DUO.
• Logout.
• Go to another WordPress site on network i.e test2.example.com.
• Login with super admin login
• Loading message displays, browser redirects to example.com not logged in.

This redirect loop means that I am unable to login any other of my sites.
This issue has already been discussed on WordPress forum and a fix was put in place (6de72e8). This implemented the network_site_url which points the login script to primary site on the network and not the current site that you are on. As my multisite is set to the sub domain configuration, this point the login action to the primary site on the network. Implementing site_url would fix this issue as it point the login script the current site that the user is on. In my tests, this fixed the plugin.

I have forked the plugin and I will be submitting the fix via a pull request soon.

When logged in to my server via SSH, the DUO spits out a bunch of HTML error rubbish on the command line when running WP CLI commands.

Reproduce:

1. Log in over SSH
2. Run a WP CLI command such as wp plugin list
3. Many errors are output, including PHP warnings about "cookie names must not be empty", "file_get_contents() SSL operation failed", "file_get_contents(): failed to enable crypto" etc., followed by HTML output of the WordPress login screen (with DUO iframe)

Mitigation?

WP CLI sets a constant called WP_CLI, this is the most common means of determining if a request comes from WP CLI.
So perhaps fixing this is as simple as adding the following to duo_auth_enabled() or duo_role_require_mfa():

if ( defined( 'WP_CLI' ) && WP_CLI ) {
    return false;
}

See WP CLI docs: https://make.wordpress.org/cli/handbook/guides/commands-cookbook/#include-in-a-plugin-or-theme

We are working with a vendor to do an external connection for a WooCommerce store for product recommendations. The DUO plugin is blocking access to the REST API endpoint they are trying to use /wp-json/wc/v3/

It looks like this is another case where an exception needs to be added to the DUO plugin to allow external clients to connect or at least authenticate in some way.

HI!
I've a question for you!
In any case of error or other, if I can't login in my wp site, there is an "emergency" login? can I remove the plugin from the server (like remove duo directory) and start my site normally? thank you for your reply (and sorry for my english!).

When trying to use Duo with a server which requires all outbound connections to go via a proxyserver the connection to fetch the time from /auth/v2/ping causes a timeout.

This then causes it to hang until it gets to use the localtime causing login to take a some time as timeouts occur.

With define('FORCE_SSL_LOGIN', true); set in wp-config.php, duo_wordpress fails to include its Javascript library using SSL. This only seems to be a problem in Chrome (I tested Safari and Chrome), because the second factor auth in Chrome is done from the HTTPS resource, whereas Safari only seems to POST the first factor auth to the HTTPS resource, and then serves the second factor from HTTP.

To reproduce, simply install a vanilla blog, setup duo_wordpress, and add define('FORCE_SSL_LOGIN', true); to wp-config.php. Open your site in Chrome and attempt to login.