Jun 26, 2014 at 7:22 PM
Edited Jun 26, 2014 at 7:56 PM
Hi! I think I have found a bug in GetValidTwoFactorProviders() method. This method fetches providers even if those providers have not been verified. For example, it will add PhoneCode provider during Two Factor Authorization, if the phone number has been
added, but not confirmed by the user.
I can remove the provider from the list in the sendCode() method manually if it has not been verified, like this:
if (userFactors.Contains("PhoneCode") && !(await UserManager.IsPhoneNumberConfirmedAsync(userId)))
However, I think that the method responsible for this logic is GetValidTwoFactorProviders() because the word
in the name of this method implies that the providers should be verified.