Disable Two-Step Verification (config.php)

[wEbAddEr]

When disabling it whit user/group permissions and you want to go to your acp, it demands that you activate it at your admin forum account...
So i try now this config.php solution because this two step verification annoys me like hell and don't give much extra security to your forum.

 

[Wildcat Media]

I recommend adding this to your config.php file, commented out, in case of emergency, so you don't have to go digging for it when you need it. I've been locked out of my own forums due to 2FA acting flaky in the past.

 

[zoldos]

Why does everyone want to hardcode disable this in config.php? I've never had an issue with it at all. Pretty sure it's enabled, but neither me or my users mess with it...

 

[Wildcat Media]

I have it in there...commented out. But only because I have had it fail on me more than once, when I can't get into my own admin panel to disable it. Logins end up in an endless loop. If members start using it, staff can easily go in and disable 2FA on the individual accounts if a member has a problem with using it.

 

[zoldos]

$config['enableTfa'] = false;

In config.php doesn't seem to do anything. I can still access TFA. Why can't I just disable it in my Permissions settings?

 

[zoldos]

I see, I can only make it "not required" in Permissions, not disable it. But still, the config.php hack still doesn't work!! lol

 

[Chris D]

I see, I can only make it "not required" in Permissions, not disable it. But still, the config.php hack still doesn't work!! lol

It doesn't prevent access to the 2FA UI, but it prevents 2FA being asked for. It's to be used for emergencies only, such as locking yourself out.

 

[zoldos]

Hmm....I think I understand. So if someone tries to enable it, the setting just won't work?

 

[Chris D]

Correct.

 

[zoldos]

But the real question is: Why? Does TFA in XF not work or something? I use TFA for most of my on-line games and e-mail accounts and it proves quite useful.

 

[Chris D]

I can't speak for @Rudy as to why, but the designed usage for it is if you literally have no way of authenticating, e.g. lost access to the email or the device where the 2FA one time password is configured.

Aside from that hopefully rare occurrence, there shouldn't be any problems with it under normal conditions. If there is, that should be troubleshooted in the normal way (in the Troubleshooting forum or via support ticket).

 

[zoldos]

Thanks! One last question, when I set it up, does it "remember" my device is authenticated so I don't have to do it every single logon?

 

[Chris D]

You get asked to remember the device for 30 days.

 

[zoldos]

Okay thanks Chris!

 

[Wildcat Media]

I can't speak for @Rudy as to why, but the designed usage for it is if you literally have no way of authenticating, e.g. lost access to the email or the device where the 2FA one time password is configured.

I think Mike figured it may have had to do with a time sync issue between the server and Google Authenticator, or cookies, or something like that. It is a lower priority item for me at the moment, so I haven't bothered to do a ticket for it yet. But if you consider that I'm the admin of these forums, if I get locked out because of 2FA acting up, that's a Really Big Problem. I am using the email method right now to try it again. Since it has a 15 minute timeout, vs. 30 (?) seconds, that might alleviate the problem.

 

[Wildcat Media]

Yep, I'll have to open a ticket. 2FA works fine from the computers and the tablet. No go from the phone. And I'm using the email method.

See, if I were out on the road when this happened, I could log in with an SSH client on the phone (yes, it's tiny, but workable), and go in and uncomment the lines in config.php so I could get into my own forum.

 

[bulbasnore]

It might be good to explain two step verification in the manual. Am I just missing it?

The points I'd include besides the two step "have you seen" article are:

1. Why its good for your board.
2. You can turn it off globally in admincp.
3. You can turn it on per usergroup.
4. Failsafe explanation for the config file.