XF 2.2 Members' 2FA problems. Link or QR code to re-activate?

Stuart Wright

Well-known member
I confess I don't understand what's going on behind the scenes WRT 2FA, but we've had a few members asking how to find a link/QR code so they can log in.
E.g.
Hi - trying to find the link/QR code to re-activate my 2FA to login - just done a macOS update and it's logged me out on both machines and as I have replaced my iPhone I can't get the activator code from the app as it hasn't transferred over the settings ! ... btw can you make a link in one of the FAQs as this issue isn't covered (as far as I can see/search ! ) ... thanks

How do I find our link/QR code?
Thanks
 
Solution
How do I find our link/QR code?
The QR code only appears when they first activate 2FA and want to use verification via app. Their phone 2FA app then used to scan the QR code to receive the initial linking code between their app and your site (QR code scan being easier than typing out the ~20 character alphanumeric to achieve same outcome). Once setup/linked, the phone 2FA app then gives the 30sec rolling six digit code, needed to validate their logon approx. every 30 days.

If they've both been logged-out and lost access to their 2FA phone app at the same time, they cannot themselves reinitiate 2FA and get another QR code for linking their app and your site again. Admin will have to use ACP to locate the user account and disable...

Mouth

Well-known member
How do I find our link/QR code?
The QR code only appears when they first activate 2FA and want to use verification via app. Their phone 2FA app then used to scan the QR code to receive the initial linking code between their app and your site (QR code scan being easier than typing out the ~20 character alphanumeric to achieve same outcome). Once setup/linked, the phone 2FA app then gives the 30sec rolling six digit code, needed to validate their logon approx. every 30 days.

If they've both been logged-out and lost access to their 2FA phone app at the same time, they cannot themselves reinitiate 2FA and get another QR code for linking their app and your site again. Admin will have to use ACP to locate the user account and disable 2FA on their account. User can then logon normally (username and password only), and decide to (re)activate 2FA and go through the app linking with QR code process again.
 
Solution

Brogan

XenForo moderator
Staff member
Indeed.

If an end user can bypass/disable 2FA because they've changed devices, lost the app, etc. then it would render the security of it worthless.
 

Stuart Wright

Well-known member
I see that. But the process involves contacting us from their registered email address and then a moderator having to manually deactivate 2FA.
If there was any way of doing it using less man power, that would be better.
Like I say, I’m a noob to 2FA.
 
Top