Not a bug Stuck in 2FA mode

NealC

NealC

Well-known member
Affected version
2.1
Just installed 2.1 and imported vB 4. In setting user group permissions I used the set all to yes option not realizing it required 2FA. So I went through 2FA once on my account then turn it off. Now everytime I login I still have to use 2FA even though it's not on in any of the user group roles/permissions. So it seems once I had to use 2FA it won't stop using it going forward.
 
Ahh, you've had my same expierience.... ;)

You need to go into your specific user profile and turn it off there also.

Once a usergroup has had 2FA turned on, just turning it off for the usergroup does not work, you have to go into the user profile and turn it off there also..

Beware: That also means If you turn it on accidentally for Registered users, each of your users will have to manually go in to their profiles and turn it off also. Which probably means say goodbye to a lot of users.

This is not considered a bug, but can be a big issue so beware!
 
bzcomputers said:
Ahh, you've had my same expierience.... ;)

You need to go into your specific user profile and turn it off there also.

Once a usergroup has had 2FA turned on, just turning it off for the usergroup does not work, you have to go into the user profile and turn it off there also..

Beware: That also means If you turn it on accidentally for Registered users, each of your users will have to manually go in to their profiles and turn it off also. Which probably means say goodbye to a lot of users.

This is not considered a bug, but can be a big issue so beware!
Click to expand...

Well I may have had it on momentarily but the forum was still private while being configured so no one actually logged on and used 2FA other than me.
 
NealC said:
Well I may have had it on momentarily but the forum was still private while being configured so no one actually logged on and used 2FA other than me.
Click to expand...

If you set "All To Yes" for Registered users for 1 second (saved the settings) and then turned it off, whether any user has actually logged in or not they are all still stuck with 2FA turned on until each user manually logs in through 2FA goes into their profile settings and turns it off.

If you made the mistake with the Administrators group consider yourself lucky.
 
Sorry, that's the lazy approach saying by design. If the user group permission says NO or NEVER to 2FA then that's would it should be unless the user opted in external to the user group permissions.
 
If "not a bug" then add a tool to allow admins to turn this off for users fitting query params like user search tools.
 
bzcomputers said:
If you set "All To Yes" for Registered users for 1 second (saved the settings) and then turned it off, whether any user has actually logged in or not they are all still stuck with 2FA turned on until each user manually logs in through 2FA goes into their profile settings and turns it off.
Click to expand...
I just tested this, it did not happen like that. As soon as I reverted that permission to no, then users no longer required Two Step.
 
bzcomputers said:
I made a suggestion just a week ago, but it was turned down pretty quick...
https://xenforo.com/community/threads/two-step-verification-two-steps-to-disable.160890/

Maybe I should go back and suggest the 2FA setting should be in BOLD RED and be ignored by "Quick Set" changes. Although I prefer my original suggestions.

Anyways, it is supposedly working as designed.
Click to expand...

I think you're confusing Require 2FA with actual usage of 2FA by users.

2FA is always available to the user. The above permission simply forces users in a group to SET their 2FA. Once set I absolutely agree that you can't have the Admin disable it for security reasons group wide. It's similar to resetting the password for an entire group of users.
 
ichpen said:
I think you're confusing Require 2FA with actual usage of 2FA by users.

2FA is always available to the user. The above permission simply forces users in a group to SET their 2FA. Once set I absolutely agree that you can't have the Admin disable it for security reasons group wide. It's similar to resetting the password for an entire group of users.
Click to expand...

I wasn't confused about how it was implemented. Just concerned at how easy it is to make a mistake and force it on for whole groups when not intended through permission settings. I believe 2FA, sense it is such an important permission, should stand out better than it does in the settings so mistakes like I made and the original thread starter here made. 2 of us in the same week with the same exact issue leads me to believe me are not alone.
 
bzcomputers said:
I wasn't confused about how it was implemented. Just concerned at how easy it is to make a mistake and force it on for whole groups when not intended through permission settings. I believe 2FA, sense it is such an important permission, should stand out better than it does in the settings so mistakes like I made and the original thread starter here made. 2 of us in the same week with the same exact issue leads me to believe me are not alone.
Click to expand...
Where can I find this setting in the Admin. I am the super Admin and want to turn off for the group as a whole.
 

Similar threads

TimWilson
Identifying ACTUAL inactive accounts, and requiring 2FA
Replies
4
Views
390
woody
woody
A
Not a bug User uploaded avatar with usergroup options disabling it
Replies
3
Views
339
Jeremy P
Jeremy P
Mr Lucky
Duplicate Resource text not viewable in dark mode
Replies
3
Views
385
Paul B
Paul B
Rengobli
Add-on Custom Login Add-On
Replies
0
Views
639
Rengobli
Rengobli
Recep Baltaş
Not a bug SITE STUCK IN UPDATER MODE
Replies
4
Views
1K
Chris D
Chris D
Top Bottom