Fixed TFA can still be configured even if disabled via config.php


Well-known member
Affected version
If TFA is disabled via config.php $config['enableTfa'] ) false; and users to have permission to use TFA, they can still configure it but it does not have any effect.

This is confusing and might/will lead users to believe there accout is protected while in fact it is not.

Therefore I think it should not be possible to confgure TFA if it is disabled via config.php
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:
Prevent configuration of two-factor authentication when it is disabled via the config.php switch
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom