Chrome Version       : 59.0.3071.134
OS Version: 9460.73.0
URLs (if applicable) :
Other browsers tested:
  Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5:n/a
  Firefox 4.x:n/a
     IE 7/8/9:n/a

What steps will reproduce the problem?
1.Switch off your router (or disable wifi on the CB before you last logged out).

2.On power-up or login, you will be asked to connect to the internet, or to login as guest, or to sign in if you are already "registered" on the device. In practice that means you must have signed-in successfully at least once before.

3.Selecting the already registered option, you can login with just your password.

4.Once logged on, turn on your router or connect to the internet some other way.

What is the expected result? Once connected to the internet, there should be a 2SV challenge before accessing any Google services (eg email, Drive etc) at the very least


What happens instead of that? you are logged in without any further challenge, bypassing 2SV completely.


Please provide any additional information below. Attach a screenshot if
possible.

UserAgentString: Mozilla/5.0 (X11; CrOS x86_64 9460.73.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.134 Safari/537.36


This is really a serious security flaw, even if it is a WAI. By the simple technique of disconnecting a CB from the internet you can log into a user account without a 2SV challenge regardless of the user's setting.