You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some email clients or other security measures may send pre-flight checks for links in emails. For users with email configured as an MFA option, these checks may trigger sending the MFA code via email. The user is sent another MFA code when they navigate to the link in their browser. Only the most recent MFA code is valid.
These are often an HTTP HEAD request, but some clients may use a GET request.
Affects versions
1.33.0-1.46.0
Steps to reproduce
Enable MFA for a user via email
On the FusionAuth login page, click the Forgot Password link
Enter the user's email address and submit the form
Copy the change password link from the email (do not click it)
Use the curl command or other tool to send a HEAD request to the link to simulate an email client security check (example below)
The user should receive an email with an MFA code
Now open the password change link in the browser
The user receives another MFA code via email
Only the second code will work to complete MFA step-up
Here is an example curl command to send the request. Query string parameters have been omitted for brevity but should be provided when making the request.
Email client security checks trigger duplicate two-factor emails
Description
Some email clients or other security measures may send pre-flight checks for links in emails. For users with email configured as an MFA option, these checks may trigger sending the MFA code via email. The user is sent another MFA code when they navigate to the link in their browser. Only the most recent MFA code is valid.
These are often an HTTP
HEAD
request, but some clients may use aGET
request.Affects versions
1.33.0-1.46.0
Steps to reproduce
curl
command or other tool to send aHEAD
request to the link to simulate an email client security check (example below)Here is an example
curl
command to send the request. Query string parameters have been omitted for brevity but should be provided when making the request.Expected behavior
Email client or other pre-flight security checks should not trigger an MFA email to be sent.
Documentation
The text was updated successfully, but these errors were encountered: