Log or alert on failed 2FA codes

[jeffpaul]

Logging a placeholder issue from insight shared from @georgestephanis after finding a related tweet on this topic... We should fire off a log or alert to site admins on any failed 2FA code. Or an error_log or something. So if someone has a password but is trying to brute force a code it can get caught.

[Lucisu]

I extended the Two_Factor_Provider class adding the function to log the failure:

two-factor/providers/class-two-factor-provider.php

Lines 75 to 106 in 3b69449

	/**
	* Logs the failed authentication.
	*
	* @param WP_User $user WP_User object of the user trying to login.
	* @param string|false $code The code used to authenticate, if available.
	*
	* @return void
	*/
	public function log_failure( $user, $code = false ) {
	/**
	* This action is triggered when a Two Factor validation fails.
	*
	* @param WP_User $user WP_User object of the user trying to login.
	* @param string|false $code The code used to authenticate, if available.
	*/
	do_action( 'two_factor_user_login_failed', $user, $code );
	/* translators: %1$d: the user's ID %2$s: the code used to authenticate */
	$log_message = sprintf( esc_html__( 'The user with ID %1$d failed to login using the code "%2$s"', 'two-factor' ), $user->ID, esc_html( $code ) );
	/**
	* This action is triggered when a Two Factor validation fails.
	*
	* @param boolean $should_log Whether or not the authentication failure should be logged.
	* @param WP_User $user WP_User object of the user trying to login.
	* @param string|false $code The code used to authenticate, if available.
	* @param string $log_message The generated log message.
	*/
	if ( apply_filters( 'two_factor_log_failure', true, $user, $code, $log_message ) ) {
	error_log( $log_message );
	}
	}

And added it to TOTP:

two-factor/providers/class-two-factor-totp.php

Lines 290 to 304 in 3b69449

	public function validate_authentication( $user ) {
	$success = false;
	if ( ! empty( $_REQUEST['authcode'] ) ) {
	$success = $this->is_valid_authcode(
	$this->get_user_totp_key( $user->ID ),
	sanitize_text_field( $_REQUEST['authcode'] )
	);
	}
	if ( ! $success ) {
	$this->log_failure( $user, ! empty( $_REQUEST['authcode'] ) ? sanitize_text_field( $_REQUEST['authcode'] ) : false );
	}
	return $success;
	}

Now, other providers can use it.

I guess it's not the better way to use error_log, though.

[iandunn]

Related: #476 would be a good follow-up to this IMO