The 'two_factor_enabled_providers_for_user' filter behaves differently in version 0.16.0

[sirolf]

Describe the bug

Hi,

Prior to version 0.16.0, we used the two_factor_enabled_providers_for_user filter to programmatically disable all providers for a specific user when they accessed the site from our company IP address.

After updating to version 0.16.0, this behavior seems to have changed. When the provider list is empty, the plugin now automatically enables email as a provider.

Would it be possible to add either:

• an extra filter to explicitly allow an empty provider list, or
• an IP whitelist filter to support this use case?

Regards,
Floris Jansen

Steps to Reproduce

Update to version 0.16.0

Screenshots, screen recording, code snippet

No response

Environment information

No response

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

[alexclst]

I just ran into this problem. In my case, I've written a sms login plugin that can send codes via sms, and want to completely disable Two Factor when it is used. I have the following attached to the two_factor_enabled_providers_for_user hook:

public function bypass_two_factor( $enabled, $user_id ) {
  if ( rgar( $_POST, 'tg_sms_code' ) ) { // disable 2FA when a sms code of ours is present in POST
	return [];
  }
  return $enabled;
}

But I too now see the (never configured for my user) Email auth method. In my situation I really do want a filter to completely disable Two Factor. Please fix this regression in functionality of this filter.

[abovowebdevelopment]

We are facing the same issue in 0.16.0. We also want to disable the two factor based on certain IP addresses. Would be nice if this functionality will be available again.