Uncaught Exception: Invalid characters in the base32 string

[Tijmen-Scherp]

Describe the bug

Our users were previously using Solid Security's 2fa functionality. When disabling Solid Security and installing the Two-Factor plugin, it seems most user's 2fa settings are automatically recognized by the Two-Factor plugin. Users with email authentication are still receiving email codes and can log in accordingly.

However, some of our users that have 2fa set up with their Authenticator app, report fatal errors when attempting to input their 2fa code:

Uncaught Exception: Invalid characters in the base32 string in /plugins/two-factor/providers/class-two-factor-totp.php:752

Any ideas on what could be causing this, and how to prevent this or fix this without having to manually reset everyone's 2fa settings?

Steps to Reproduce

1. Set up 2fa using the authenticator method with Solid Security.
2. Disable Solid Security.
3. Install Two-Factor.
4. Attempt to log in with the existing authenticator method attributed to a user.

Screenshots, screen recording, code snippet

No response

Environment information

No response

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

[dd32]

Any ideas on what could be causing this

Solid Security :)

It looks like it migrates it's TOTP keys to Two Factor Keys:
https://plugins.trac.wordpress.org/browser/better-wp-security/trunk/core/modules/two-factor/setup.php?rev=2574160&marks=103-104#L90

In doing so, it's seemingly not migrating the contents of the key to be in the expected format for Two Factor.

In other words, the code for this is in Solid Security, not Two-Factor, and is seemingly setting the data incorrectly.

It may help if you're able to share the contents of a users _two_factor_totp_key meta key, but in doing so you'd be sharing their 2FA authentication code, so you'd need to also delete it from the user (to force them to set it up again).

and how to prevent this or fix this without having to manually reset everyone's 2fa settings?

Without knowing what format Solid Security used for the stored values, it's not possible for us to know. It's likely possible for you to migrate the keys over - but we're not able to help with that.

I've looked at some older versions of Solid Security and I can't immediately see what it stored. It's not clear to me if this was a free or pro feature.

I would suggest you need to start with contacting them through:
https://wordpress.org/support/plugin/better-wp-security/