• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Disable Two-Step Verification (config.php)

wEbAddEr

Active member
#21
When disabling it whit user/group permissions and you want to go to your acp, it demands that you activate it at your admin forum account...
So i try now this config.php solution because this two step verification annoys me like hell and don't give much extra security to your forum.
 

Rudy

Well-known member
#22
I recommend adding this to your config.php file, commented out, in case of emergency, so you don't have to go digging for it when you need it. I've been locked out of my own forums due to 2FA acting flaky in the past.
 

zoldos

Well-known member
#23
Why does everyone want to hardcode disable this in config.php? I've never had an issue with it at all. Pretty sure it's enabled, but neither me or my users mess with it...
 

Rudy

Well-known member
#24
I have it in there...commented out. But only because I have had it fail on me more than once, when I can't get into my own admin panel to disable it. Logins end up in an endless loop. If members start using it, staff can easily go in and disable 2FA on the individual accounts if a member has a problem with using it.
 

zoldos

Well-known member
#25
Code:
$config['enableTfa'] = false;
In config.php doesn't seem to do anything. I can still access TFA. Why can't I just disable it in my Permissions settings?
 

zoldos

Well-known member
#26
I see, I can only make it "not required" in Permissions, not disable it. But still, the config.php hack still doesn't work!! lol
 

Chris D

XenForo developer
Staff member
#27
I see, I can only make it "not required" in Permissions, not disable it. But still, the config.php hack still doesn't work!! lol
It doesn't prevent access to the 2FA UI, but it prevents 2FA being asked for. It's to be used for emergencies only, such as locking yourself out.
 

zoldos

Well-known member
#30
But the real question is: Why? Does TFA in XF not work or something? I use TFA for most of my on-line games and e-mail accounts and it proves quite useful.
 

Chris D

XenForo developer
Staff member
#31
I can't speak for @Rudy as to why, but the designed usage for it is if you literally have no way of authenticating, e.g. lost access to the email or the device where the 2FA one time password is configured.

Aside from that hopefully rare occurrence, there shouldn't be any problems with it under normal conditions. If there is, that should be troubleshooted in the normal way (in the Troubleshooting forum or via support ticket).
 

zoldos

Well-known member
#32
Thanks! One last question, when I set it up, does it "remember" my device is authenticated so I don't have to do it every single logon?
 

Rudy

Well-known member
#35
I can't speak for @Rudy as to why, but the designed usage for it is if you literally have no way of authenticating, e.g. lost access to the email or the device where the 2FA one time password is configured.
I think Mike figured it may have had to do with a time sync issue between the server and Google Authenticator, or cookies, or something like that. It is a lower priority item for me at the moment, so I haven't bothered to do a ticket for it yet. But if you consider that I'm the admin of these forums, if I get locked out because of 2FA acting up, that's a Really Big Problem. ;) I am using the email method right now to try it again. Since it has a 15 minute timeout, vs. 30 (?) seconds, that might alleviate the problem.
 

Rudy

Well-known member
#36
Yep, I'll have to open a ticket. 2FA works fine from the computers and the tablet. No go from the phone. And I'm using the email method.

See, if I were out on the road when this happened, I could log in with an SSH client on the phone (yes, it's tiny, but workable), and go in and uncomment the lines in config.php so I could get into my own forum.
 
#37
It might be good to explain two step verification in the manual. Am I just missing it?

The points I'd include besides the two step "have you seen" article are:
  1. Why its good for your board.
  2. You can turn it off globally in admincp.
  3. You can turn it on per usergroup.
  4. Failsafe explanation for the config file.