1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable email / password change when two-step is required.

Discussion in 'XenForo Suggestions' started by Tim Jay, Mar 25, 2016.

  1. Tim Jay

    Tim Jay Active Member

    This is a quick suggestion

    As we all know you can "Require two-step verification" under usergroup permissions.
    They will see this message on the front page:


    One small thing I noticed is the user can still change his password or email before enabling the two-step.

    Everything else is closed off like the front page, inbox and all that but everything under /account/ is accessible.

    I would really like to use this as a method of preventing accounts (without 2FA already enabled) from being stolen. But with just a login, the account can be taken over even if I've "required" 2FA on the user.

    I know other sites don't have to deal with the same security issues I do.
    I have always had a problem of people trying to steal accounts because established accounts hold much more value.

    I will be requiring 2FA for everyone but I feel that disabling account settings until they actually enable it, would be great.

Share This Page