XF 1.5 Can't login to my forum with 2FA after iOS upgrade failed on my iPhone

fredrikse

Active member
Hi, I've been running an Xenforo forum for many years and I never imagined I could lock myself out of my own forum. But that's what happened a while back when an iOS upgrade failed on my iPhone.

Before I upgraded the iPhone I made sure I had a fresh backup. And when the upgrade failed due to disruptions in the Internet connection I restored the fresh backup successfully.

But when I tried to login to my forum with my admin account I was not successful. Apparently my forum connection in the Microsoft Authenticator App was not restored when I restored the iOS backup. Therefore I could not complete the login in with 2FA, which is set to be my default login method.

My question now is how I can gain access again to the forum with my admin account? I would like to disable 2FA somehow to allow myself to login with only my password.

I have read and write permissions on the database itself. I think I'm running version 1.5. I guess I can verify that by running a query in the database?

Thanks in advance for any suggestions.
 
Solution
Is there a query that I can run for a specific user to disable 2FA?
No, that wouldn't be a good way to do it.

Two scenarios:
1) You (an admin) is locked out of 2FA: Add this to your config.php file: $config['enableTfa'] = false; then login as admin and under your specific account, disable and re-enable 2FA with a new 2FA authentication. Then reenable the 2FA option sitewide by removing the line above from config.php.

2) A member/user is locked out: As an admin you can go in and disable 2FA under their specific account. Then they can reenable at later time with a new authentication.
But when I tried to login to my forum with my admin account I was not successful. Apparently my forum connection in the Microsoft Authenticator App was not restored when I restored the iOS backup. Therefore I could not complete the login in with 2FA, which is set to be my default login method.
As explained... you can turn 2FA off...
But suggestion... look for a 2FA app that will back up (encrypted) your credentials either to iCloud or a server they run (like Authy does, but it's broke for my QR codes and they are aware of an issue with it). I currently use 2FAS, as it backs up encrypted to iCloud, and upon a restore you get your data back.
I am also using @digitalpoint's add-on and have 2 YubiKeys set up to work.
 
@digitalpoint's add-on and YubiKey as well - with backup codes......

ronald mcdonald yes GIF by McDonald's CZ/SK
 
Last edited:
Thanks for all suggestions so far.

Add this to your config.php file:

$config['enableTfa'] = false;
I assume this will effect all users? Is there a way to disable it for a specific user?

As explained... you can turn 2FA off...
But suggestion... look for a 2FA app that will back up (encrypted) your credentials either to iCloud or a server they run (like Authy does, but it's broke for my QR codes and they are aware of an issue with it). I currently use 2FAS, as it backs up encrypted to iCloud, and upon a restore you get your data back.
I am also using @digitalpoint's add-on and have 2 YubiKeys set up to work.
Will definitely look for a different app going forward that back up credentials properly.
 
Edit the config file to add the line.

Log in and update 2FA for your account.

Edit the config file again to remove the line.
 
I assume this will effect all users? Is there a way to disable it for a specific user?
Yes, it is global...
And yes, if a specific user has it enabled and has the same issue and contacts you via the Contact Us link, you can disable it in their user profile as long as you have ACP access.

Screen Shot 2022-12-04 at 3.51.58 PM.png
 
Edit the config file to add the line.
Sounds like this is the way to do it then. And when I enable the 2FA setting again in the config file all existing users with 2FA activated will be able to use this login method again?

Log in and update 2FA for your account.
When I have managed to login, should I just remove 2FA on my account as the preferred login method?

And yes, if a specific user has it enabled and has the same issue and contacts you via the Contact Us link, you can disable it in their user profile as long as you have ACP access.
In order to have ACP access I guess I need to be able to login? That's not the case right now with the 2FA issue. Is there a query that I can run for a specific user to disable 2FA?
 
Is there a query that I can run for a specific user to disable 2FA?
No, that wouldn't be a good way to do it.

Two scenarios:
1) You (an admin) is locked out of 2FA: Add this to your config.php file: $config['enableTfa'] = false; then login as admin and under your specific account, disable and re-enable 2FA with a new 2FA authentication. Then reenable the 2FA option sitewide by removing the line above from config.php.

2) A member/user is locked out: As an admin you can go in and disable 2FA under their specific account. Then they can reenable at later time with a new authentication.
 
Solution
We're experiencing this issue as well when we changed server. Members with 2FA enabled can't login. After logging in with their details they remain logged out. We have to disable 2FA via config file so they could login successfully. These are not just few number of members, it's thousands and of course they dont login all at once. Those who last login prior to the server transfer will experience the issue so we have to globally disable the 2FA for the time being. Is there a safer and better way to fix the issue for everyone?
 
Top Bottom