Webmin action by user: Login to Webmin failed : Invalid twofactor token

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.1
Webmin version 2.011, on virtualmin 7.5

Hi there,

I have been observing this unexpected behavior from Webmin since before Webmin 2.000 and Virtualmin 7.0. Since I have a public Webmin login page, I’d want to make sure it’s secure. So, is there a bug or a configuration mistake that would make my Webmin shoe the behavior below?

TL;DR: Webmin sends notification of unsuccessful logins even when they are successful

Setup Webmin running well with miniserv and SSL on a custom domain. I log in with my username (not root). I have set up 2FA on Webmin that works well too. I have enabled a few options to block users after too many logins, on the page Webmin → Webmin configuration → Authentication.

Notification that work
I sometimes get a Webmin alert by email that a login is unsuccessful, it mostly happens for root. I assume that my URL gets scanned and some bots have a try at it.

Notification that don’t work
When I log in myself, I also get these unsuccessful login emails from Webmin. For each successful login with my username, I receive 3 emails:

  • Webmin action by user: Login to Webmin failed : Invalid twofactor token
  • Webmin action by user: Login to Webmin failed : Invalid password
  • Webmin action by user: Logged into Webmin

Expected behavior

  • I expect to only get 1 email when a user successfully logs in.

/var/webmin/webmin.log

This are the log lines when I log in successfully with 2FA (correct password and correct 2FA token):

1674576635.2282934.0 [24/Jan/2023 17:10:35] user - 1.2.3.4 global miniserv.pl "failed" "-" "twofactor"
1674576635.2282941.0 [24/Jan/2023 17:10:35] user - 1.2.3.4 global miniserv.pl "failed" "-" "wrongpass"

Note that to be shown the 2FA entry field, I need to have already entered the correct password. So I don’t even understand why would Webmin log a wrongpass after a failed twofactor.