Add an option to disable two step verification providers

[Kirby]

Currently, the built-in providers

• Backup Codes
• Email confirmation
• Verification code via app

are always active (if TFA isn't entirely disabled).

But those providers are not equal (in terms of usability and security); especially Email confirmation seems somewhat cumbersome, leaks data and should be considered rather insecure (nobody knows if the email isn't forwarded unencrypted at some point for exmple).

This is even documented in the description:

Other two-step verification methods should be chosen over this if possible.

Backup codes seem to be insecure as well.

So if there are at least 2 stronger TFA options available (like TOTP, WebAuthn, etc.) it would be nice if the admin had an option to completely disable weaker options - especially as the required field and code to check that is already there, just a GUI is missing.

There had been somewhat similar / related suggestions in the past but none got traction:

Lack of interest - [Developer Tool] Two-factor authentication: "disable" handler

At the moment, when you disable any given 2FA provider, it simply deletes the entity. It would be great if you could add a new method to \XF\Tfa\AbstractProvider like so: public function handleDisable( \XF\Mvc\Controller $controller, \XF\Entity\TfaProvider $provider...

xenforo.com

Lack of interest - Toggle active status of 2FA providers

The ACP page for 2FA providers already lists all the active and inactive 2FA providers but I don't believe it's possible to enable/disable 2FA providers using the frontend (unless I'm missing something). It would be nice to have a toggle to do this. I imagine this would be mostly useful for...

xenforo.com

 

[Wildcat Media]

I had two addons with conflicting usage of "passkeys," and I had to manually go into the database to deactivate one of them.

So yes, being able to select which ones we allow visitors to use would be helpful. Upvoted!

 

[fury]

Sorry to resurrect an old thread, but I got here by googling this on the bing so I figured I'd leave a note for the next visitor. I was able to disable the "email" provider by the following database query:

update xf_tfa_provider set active = 0 where provider_id = 'email';

I find it a little odd that there isn't simply a button to turn these on/off in the control panel.

In my case, I needed to disable this as a possible option because I chose to force 2sv for all new users in order to fight spammers. Spammers are almost vanishingly unlikely to follow through with setting one up, so it helps. As I already have email confirmation on registration, having the option for an email confirmation as 2sv somewhat defeats that purpose as they can just use the same throwaway email address they just created to sign up.

 

[Wildcat Media]

Sorry to resurrect an old thread, but I got here by googling this on the bing so I figured I'd leave a note for the next visitor. I was able to disable the "email" provider by the following database query:

I did similar to deactivate one of the two duplicate "passkeys" entries. Having the option to disable, with the ability to re-enable if ever needed, I think would be the way to go.

 

[Kirby]

I find it a little odd that there isn't simply a button to turn these on/off in the control panel.

That's what this suggestion is about

As you figured out, the whole infrastructure is already there - just the GUI is missing.