Add an option to disable two step verification providers


Well-known member
Currently, the built-in providers
  • Backup Codes
  • Email confirmation
  • Verification code via app
are always active (if TFA isn't entirely disabled).

But those providers are not equal (in terms of usability and security); especially Email confirmation seems somewhat cumbersome, leaks data and should be considered rather insecure (nobody knows if the email isn't forwarded unencrypted at some point for exmple).

This is even documented in the description:
Other two-step verification methods should be chosen over this if possible.

Backup codes seem to be insecure as well.

So if there are at least 2 stronger TFA options available (like TOTP, WebAuthn, etc.) it would be nice if the admin had an option to completely disable weaker options - especially as the required field and code to check that is already there, just a GUI is missing.

There had been somewhat similar / related suggestions in the past but none got traction:
Last edited:
Upvote 10
I had two addons with conflicting usage of "passkeys," and I had to manually go into the database to deactivate one of them.

So yes, being able to select which ones we allow visitors to use would be helpful. Upvoted!
Top Bottom