Not planned Two-step verification = two steps to disable?

bzcomputers

Member
While testing out two-step verification (on accident), I found that disabling two-step verification within the usergroup permissions does not appear to disable it for the existing users within that usergroup.

My Scenario:
I accidentally turned on two-step verification for Administrators. I attempted to login and found that it was turned on, so I went back into permissions and turned it off for Administrators. Only it did not disable it for existing users. It disabled it for any new administrator created but for existing administrators they had to manually go into there own profile under "Password and security" and disable it there also.

My Question:
If I accidentally turn on two-step verification for registered users and then immediately turn it off will each registered users still need to manually go in under their own profiles and also disable two-step verification there? If this is true and unintended please move into bug reports. If this is true and intended, I can see this being a huge headache for admins for a simple mistake of one click and save. I can only imagine the the mass of emails and complaints coming in from registered users or any other group you make the mistake on.

Suggestion:
If it is true and intended, I think this could be handled better by XenForo. I couldn't find the table where this info is stored to see how it is currently done, but how about saving both a manual two-step verification (on/off) and a group permission two-step verification (on/off). Then if a usergroup is no longer required to have two-step verification it will default back to what the user originally had prior to being forced by usergroup permission into a two-step verification. Those who didn't have two-step verification manually turned on prior to their usergroup enforcing it will then automatically go back to it being disabled without any manual profile changes needed. Those who had it turned on prior to their usergroup enforcing it will just see no change, it will continue to work as before.
 

Chris D

XenForo developer
Staff member
You are correct and it is intended.

The option to enable two step verification is always available to every user in their options, regardless of options/permissions set. It is not possible to turn the function off. You can force it so that users have to enable it, but once they have enabled it, it is down to them to disable it if they wish to.

There are no plans to change anything here. We've had the feature for several years and never come across any situation as you describe where it is problematic. Besides anything, some of your users (and hopefully your admins) should be enabling the functionality themselves intentionally to ensure their accounts stay protected.

There's no global off switch for such a significant security feature and there are no plans to add one.
 

MIT

Member
There's an additional 2SV booby trap:


And there doesn't appear to be any option to search for 2SV status in User Search, which I would suggest as an improvement.
 

bzcomputers

Member
There's an additional 2SV booby trap:


And there doesn't appear to be any option to search for 2SV status in User Search, which I would suggest as an improvement.
Yes, clicking the "Quick Set" is what has caused problems with a few of us.

https://xenforo.com/community/threads/stuck-in-2fa-mode.161250/

Somewhere around here I made a suggestion that if an admin made a change to the 2FA settings for a group that it should cause a pop-up message asking the admin to confirm that they knew they were making changes to 2FA before actually saving a change to the 2FA option. It's just to easy to hit the Quick Set especially if you are new to XenForo which is when you'd be messing around with those permissions to begin with.
 
Top