Not planned Option to disable 2FA globally

RichardKYA

RichardKYA

Well-known member
I would like to see an option to enable/disable 2FA globally.

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

I would think many sites owners and their staff will want to familiarise themselves with the new feature before giving their members the option to use it because it allow them to offer better assistance/support to their members when the inevitable influx of "I'm locked out of my account..." panic e-mails come flooding in.

While there are other reasons, I believe this reason alone should be why having this as an enable/disable globally option should be added.
 
Upvote 45
This suggestion has been closed. Votes are no longer accepted.
Generally I'm not in favour of this, but if you really want to implement it then maybe use a user group-based approach.
So that you can e.g. use 2FA for staff accounts (where you maybe consider it more useful) while deactivating it for regular users.
 
There are currently no plans to add this. We want to encourage its usage. You are of course free to remove it via templates; there are really only two links into the system.
 
While I am all for security and privacy.....

why not provide an "option" to disable it ?

Admins should be allowed to be flexible.
Forcing something onto admins is never a great idea.
 
We force users to have an email address and a password. Is that a bad thing? The difference is, no one is forced to use this. It's just there if people wish to use it.

Where possible this is a technology that should be embraced by admins instead of brushed under the carpet because they don't understand it or don't think their users will understand it.

If an admin doesn't understand it, it is their responsibility to get clued up on it as quickly as possible (it takes 5 minutes to understand, but should anyone have any questions, please ask). If a user doesn't understand it, chances are they won't use it.

Think back over the last few years. Probably one of the most common things to hear about is some forum somewhere or some corporation getting their password databases hacked. What invariably happens is that's then distributed on the internet for all to see and exploit. This technology is the single most important thing to prevent a password leak such as this being able to give unauthorised access to their entire online identity.

The people who care about their online privacy and security (that should be everyone) are going to be the ones that wonder why they can protect their emails, their Facebook account, their other social media presence, their bank accounts but they can't protect their forum account in the same way. And they might also be the ones that, if they fall victim to such an exploit, will ask you why such an important feature was disabled when they needed it.

And, if you're now thinking, "but there's a world of difference between my forum about <insert niche here> and internet banking" I refer you back to one of my opening sentences:
The difference is, no one is forced to use this. It's just there if people wish to use it.
Click to expand...
 
The first post of that thread makes it very clear how it works.

You could adjust it to the needs of your users and add it to a Help Page in the Admin CP and direct people there should they require any assistance with it.
 
The second one has it pros and cons compared to Andy's add-on:

Pros: also blocks direct URL access.
Cons: requires registration on a third party site.
 
Hello all,

As there are no plans to have an option to disable this feature, does anyone know what code and where would need to be removed/commented out to remove this feature as if it were never added in the first place? I don't just mean template edits, and link removals, I mean the whole lot, js files, php files, etc that contain any code relating to 2FA. Does anyone know please?

Without an option to disable it, the only thing I can think of is to remove it fully to save any direct url links leading to nowhere/error message, I also had a couple of cases where test user accounts were prompted to enable 2FA upon login as if it was required before they could continue, so I would rather just remove it like it never existed to save any confusion later down the line ;)

I just need some help with "what and where" needs to be removed/commented out, if the day ever comes that I decide to enable this feature, I can just re-add/un-comment the code, but until that day, I want it gone! >:D **evil cackle**

Any help would be much appreciated :)

Thank you
 

Similar threads

K
  • Suggestion Suggestion
Add an option to disable two step verification providers
Replies
4
Views
1K
Kirby
K
K
  • Suggestion Suggestion
Duplicate Add an option to disable CSRF checks for modern browsers
Replies
0
Views
1K
Kirby
K
asprin
  • Suggestion Suggestion
Not planned Option to disable __preSave()/__postSave() from running when record is created or updated
Replies
3
Views
1K
asprin
asprin
nocte
Fixed No option to disable automatically added "CAPTACHA" paragraph in privacy policy
Replies
1
Views
874
XF Bug Bot
XF Bug Bot
C
  • Question Question
ES 2.2 Similar thread user option to disable
Replies
1
Views
1K
Paul B
P
Back
Top Bottom