Add an option to disable two step verification providers

[Kirby]

Currently, the built-in providers

• Backup Codes
• Email confirmation
• Verification code via app

are always active (if TFA isn't entirely disabled).

But those providers are not equal (in terms of usability and security); especially Email confirmation seems somewhat cumbersome, leaks data and should be considered rather insecure (nobody knows if the email isn't forwarded unencrypted at some point for exmple).

This is even documented in the description:

Other two-step verification methods should be chosen over this if possible.

Backup codes seem to be insecure as well.

So if there are at least 2 stronger TFA options available (like TOTP, WebAuthn, etc.) it would be nice if the admin had an option to completely disable weaker options - especially as the required field and code to check that is already there, just a GUI is missing.

There had been somewhat similar / related suggestions in the past but none got traction:

Lack of interest - [Developer Tool] Two-factor authentication: "disable" handler

At the moment, when you disable any given 2FA provider, it simply deletes the entity. It would be great if you could add a new method to \XF\Tfa\AbstractProvider like so: public function handleDisable( \XF\Mvc\Controller $controller, \XF\Entity\TfaProvider $provider...

xenforo.com

Lack of interest - Toggle active status of 2FA providers

The ACP page for 2FA providers already lists all the active and inactive 2FA providers but I don't believe it's possible to enable/disable 2FA providers using the frontend (unless I'm missing something). It would be nice to have a toggle to do this. I imagine this would be mostly useful for...

xenforo.com

 

[Wildcat Media]

I had two addons with conflicting usage of "passkeys," and I had to manually go into the database to deactivate one of them.

So yes, being able to select which ones we allow visitors to use would be helpful. Upvoted!