XF 2.2 Members' 2FA problems. Link or QR code to re-activate?

Stuart Wright

Stuart Wright

Well-known member
I confess I don't understand what's going on behind the scenes WRT 2FA, but we've had a few members asking how to find a link/QR code so they can log in.
E.g.
Hi - trying to find the link/QR code to re-activate my 2FA to login - just done a macOS update and it's logged me out on both machines and as I have replaced my iPhone I can't get the activator code from the app as it hasn't transferred over the settings ! ... btw can you make a link in one of the FAQs as this issue isn't covered (as far as I can see/search ! ) ... thanks
Click to expand...

How do I find our link/QR code?
Thanks
 
Solution
Mouth
Stuart Wright said:
How do I find our link/QR code?
Click to expand...
The QR code only appears when they first activate 2FA and want to use verification via app. Their phone 2FA app then used to scan the QR code to receive the initial linking code between their app and your site (QR code scan being easier than typing out the ~20 character alphanumeric to achieve same outcome). Once setup/linked, the phone 2FA app then gives the 30sec rolling six digit code, needed to validate their logon approx. every 30 days.

If they've both been logged-out and lost access to their 2FA phone app at the same time, they cannot themselves reinitiate 2FA and get another QR code for linking their app and your site again. Admin will have to use ACP to locate the user account and disable...
Sort by date Sort by votes
Stuart Wright said:
How do I find our link/QR code?
Click to expand...
The QR code only appears when they first activate 2FA and want to use verification via app. Their phone 2FA app then used to scan the QR code to receive the initial linking code between their app and your site (QR code scan being easier than typing out the ~20 character alphanumeric to achieve same outcome). Once setup/linked, the phone 2FA app then gives the 30sec rolling six digit code, needed to validate their logon approx. every 30 days.

If they've both been logged-out and lost access to their 2FA phone app at the same time, they cannot themselves reinitiate 2FA and get another QR code for linking their app and your site again. Admin will have to use ACP to locate the user account and disable 2FA on their account. User can then logon normally (username and password only), and decide to (re)activate 2FA and go through the app linking with QR code process again.
 
Upvote 1 Downvote
Solution
Indeed.

If an end user can bypass/disable 2FA because they've changed devices, lost the app, etc. then it would render the security of it worthless.
 
Upvote 1 Downvote
I see that. But the process involves contacting us from their registered email address and then a moderator having to manually deactivate 2FA.
If there was any way of doing it using less man power, that would be better.
Like I say, I’m a noob to 2FA.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

M
  • Question Question
XF 2.1 Members can't upload or link images on profile
Replies
0
Views
436
MBJ86
M
WavMixer2
  • Question Question
XF 2.2 Website hosed after PHP upgrade to 7x
Replies
11
Views
1K
oldford
oldford
ashoor
  • Question Question
XF 2.1 Perfect migration from SMF to xenForo, with some minor glitches (Help needed!)
Replies
0
Views
643
ashoor
ashoor
Brad Padgett
XF 2.1 How can I reuse this code or use it for more than once for a free add-on I plan to release?
Replies
19
Views
1K
Brad Padgett
Brad Padgett
chronodekar
  • Question Question
XF 2.0 How to create a new button for full-page reply?
Replies
4
Views
7K
chronodekar
chronodekar
Top Bottom