XF 2.1 Forcing 2FA for users

[Danny Fyne]

Not sure if I'm missing something here but when I activate 2FA, no problem. All users are forced to turn on 2FA. However, once a user has turned on 2FA, they can simply disable it via their 'password & security' CP.

Is there any way to make sure that all users use 2FA all the time without the ability to disable it after setting it up?

 

[Danny Fyne]

 

[tom3]

I think the easiest way would be to edit the template account_two_step and set <xf:if is="$xf.visitor.Option.use_tfa"> in line 46 to a desired permission or function e.g. for admins only: <xf:if is="$xf.visitor.is_admin">.

 

[Danny Fyne]

Thanks. That's one way. I also just discovered that if they disable it, it just forces them to turn it back on again next time they try to log in.