sherpadvisorylab stops MFA from locking out the wrong people

A login fix that keeps two-factor security for the people who turned it on, and stops slamming the door on those who never finished setting it up.

security

Multi-factor authentication is supposed to add a second lock to your account, not bar you from the building. But sherpadvisorylab found a gap: users who started setting up MFA and never finished could get wrongly blocked at the door, with no way back in. The cause was the login check treating a half-finished setup as if it were a real, verified second factor.

The fix is narrow and sensible. The system now confirms a user actually has a working second factor before demanding one. People who genuinely enrolled still get the full two-factor challenge; people who never completed it simply log in as normal instead of being locked out. Worth noting the team flagged a small trade-off in speed and error handling for anyone importing the change.

So what Anyone running a Mike fork with two-factor login should look at this before a stuck setup quietly locks real users out of their own accounts.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

SHA	Subject	Author	Date
`a5131649`	Skip MFA step-up check when no verified factor exists	Alessandro Stucchi	2026-06-19	↗ GitHub

SHA

Subject

Author

Date

a5131649

Skip MFA step-up check when no verified factor exists

Alessandro Stucchi

2026-06-19

↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-672.md from inside the repo you want the changes in.

sherpadvisorylab stops MFA from locking out the wrong people

Commits in this thread

Capture this thread into my fork