Can I require app ONLY for 2FA?

[TimWilson]

We have an option for any of our members to use 2FA if they want to, and we encourage it for members engaging in our peer-to-peer marketplace.

I don't like the ability to use email authentication, though, for a variety of reasons. One of them is that I don't trust our email system, and am currently replacing it (and in the meantime am hand-authenticating dozens of requests) but there are other reasons.

More broadly, I've certainly noted that most of the folks I work with who require 2FA (server companies, DirectAdmin, Stripe, MailChimp, etc) don't allow an email option at all. You can ONLY use an app. Some of them specify which app, some don't...but email is not an option.

That's what I'm looking for. I don't care which app my members want to use, but I want them to use an app, and I don't want to allow email as an option.

Is there an option to set up that requirement on the admin side, or do I just need to work harder to keep them from choosing email?

Thanks as always!

 

[Sim]

From what I can tell, there is no UI to disable Email 2FA - but if you look at the database table xf_tfa_provider - you'll see that there is a database field to indicate whether TFA providers are active.

I don't know what the implications of disabling the XF:Email provider is for other parts of the forum - but you could try it by setting the active field to 0?

 

[TimWilson]

I don't know what the implications of disabling the XF:Email provider is for other parts of the forum - but you could try it by setting the active field to 0?

Oooo, I like this! The worst that will happen is that it won't work, and I'll back out the change, right? But it sounds worth a try! Thanks!