Not a bug Stuck in 2FA mode

Affected version
2.1

NealC

Member
Just installed 2.1 and imported vB 4. In setting user group permissions I used the set all to yes option not realizing it required 2FA. So I went through 2FA once on my account then turn it off. Now everytime I login I still have to use 2FA even though it's not on in any of the user group roles/permissions. So it seems once I had to use 2FA it won't stop using it going forward.
 

bzcomputers

Member
Ahh, you've had my same expierience.... ;)

You need to go into your specific user profile and turn it off there also.

Once a usergroup has had 2FA turned on, just turning it off for the usergroup does not work, you have to go into the user profile and turn it off there also..

Beware: That also means If you turn it on accidentally for Registered users, each of your users will have to manually go in to their profiles and turn it off also. Which probably means say goodbye to a lot of users.

This is not considered a bug, but can be a big issue so beware!
 

NealC

Member
Ahh, you've had my same expierience.... ;)

You need to go into your specific user profile and turn it off there also.

Once a usergroup has had 2FA turned on, just turning it off for the usergroup does not work, you have to go into the user profile and turn it off there also..

Beware: That also means If you turn it on accidentally for Registered users, each of your users will have to manually go in to their profiles and turn it off also. Which probably means say goodbye to a lot of users.

This is not considered a bug, but can be a big issue so beware!
Well I may have had it on momentarily but the forum was still private while being configured so no one actually logged on and used 2FA other than me.
 

bzcomputers

Member
Well I may have had it on momentarily but the forum was still private while being configured so no one actually logged on and used 2FA other than me.
If you set "All To Yes" for Registered users for 1 second (saved the settings) and then turned it off, whether any user has actually logged in or not they are all still stuck with 2FA turned on until each user manually logs in through 2FA goes into their profile settings and turns it off.

If you made the mistake with the Administrators group consider yourself lucky.
 

NealC

Member
Found it, thanks! Not thrilled with this situation but at least I know how to get out of it now.
 

NealC

Member
Sorry, that's the lazy approach saying by design. If the user group permission says NO or NEVER to 2FA then that's would it should be unless the user opted in external to the user group permissions.
 

NealC

Member
If "not a bug" then add a tool to allow admins to turn this off for users fitting query params like user search tools.
 

Mr Lucky

Well-known member
If you set "All To Yes" for Registered users for 1 second (saved the settings) and then turned it off, whether any user has actually logged in or not they are all still stuck with 2FA turned on until each user manually logs in through 2FA goes into their profile settings and turns it off.
I just tested this, it did not happen like that. As soon as I reverted that permission to no, then users no longer required Two Step.
 

ichpen

Well-known member
I made a suggestion just a week ago, but it was turned down pretty quick...
https://xenforo.com/community/threads/two-step-verification-two-steps-to-disable.160890/

Maybe I should go back and suggest the 2FA setting should be in BOLD RED and be ignored by "Quick Set" changes. Although I prefer my original suggestions.

Anyways, it is supposedly working as designed.
I think you're confusing Require 2FA with actual usage of 2FA by users.

2FA is always available to the user. The above permission simply forces users in a group to SET their 2FA. Once set I absolutely agree that you can't have the Admin disable it for security reasons group wide. It's similar to resetting the password for an entire group of users.
 

bzcomputers

Member
I think you're confusing Require 2FA with actual usage of 2FA by users.

2FA is always available to the user. The above permission simply forces users in a group to SET their 2FA. Once set I absolutely agree that you can't have the Admin disable it for security reasons group wide. It's similar to resetting the password for an entire group of users.
I wasn't confused about how it was implemented. Just concerned at how easy it is to make a mistake and force it on for whole groups when not intended through permission settings. I believe 2FA, sense it is such an important permission, should stand out better than it does in the settings so mistakes like I made and the original thread starter here made. 2 of us in the same week with the same exact issue leads me to believe me are not alone.
 
Top