Not planned Two-step verification = two steps to disable?

bzcomputers

bzcomputers

Well-known member
While testing out two-step verification (on accident), I found that disabling two-step verification within the usergroup permissions does not appear to disable it for the existing users within that usergroup.

My Scenario:
I accidentally turned on two-step verification for Administrators. I attempted to login and found that it was turned on, so I went back into permissions and turned it off for Administrators. Only it did not disable it for existing users. It disabled it for any new administrator created but for existing administrators they had to manually go into there own profile under "Password and security" and disable it there also.

My Question:
If I accidentally turn on two-step verification for registered users and then immediately turn it off will each registered users still need to manually go in under their own profiles and also disable two-step verification there? If this is true and unintended please move into bug reports. If this is true and intended, I can see this being a huge headache for admins for a simple mistake of one click and save. I can only imagine the the mass of emails and complaints coming in from registered users or any other group you make the mistake on.

Suggestion:
If it is true and intended, I think this could be handled better by XenForo. I couldn't find the table where this info is stored to see how it is currently done, but how about saving both a manual two-step verification (on/off) and a group permission two-step verification (on/off). Then if a usergroup is no longer required to have two-step verification it will default back to what the user originally had prior to being forced by usergroup permission into a two-step verification. Those who didn't have two-step verification manually turned on prior to their usergroup enforcing it will then automatically go back to it being disabled without any manual profile changes needed. Those who had it turned on prior to their usergroup enforcing it will just see no change, it will continue to work as before.
 
Upvote 0
This suggestion has been closed. Votes are no longer accepted.
You are correct and it is intended.

The option to enable two step verification is always available to every user in their options, regardless of options/permissions set. It is not possible to turn the function off. You can force it so that users have to enable it, but once they have enabled it, it is down to them to disable it if they wish to.

There are no plans to change anything here. We've had the feature for several years and never come across any situation as you describe where it is problematic. Besides anything, some of your users (and hopefully your admins) should be enabling the functionality themselves intentionally to ensure their accounts stay protected.

There's no global off switch for such a significant security feature and there are no plans to add one.
 
There's an additional 2SV booby trap:

xenforo.com

Lack of interest - Quick Set two-step trap

When editing a user group, choosing Quick Set = Yes turns on "Require two-step verification". This is easy to overlook in the Quick Set process but has a very big effect. (I wonder if there might be a better way to manage that.)
xenforo.com xenforo.com

And there doesn't appear to be any option to search for 2SV status in User Search, which I would suggest as an improvement.
 
MIT said:
There's an additional 2SV booby trap:

xenforo.com

Lack of interest - Quick Set two-step trap

When editing a user group, choosing Quick Set = Yes turns on "Require two-step verification". This is easy to overlook in the Quick Set process but has a very big effect. (I wonder if there might be a better way to manage that.)
xenforo.com xenforo.com

And there doesn't appear to be any option to search for 2SV status in User Search, which I would suggest as an improvement.
Click to expand...

Yes, clicking the "Quick Set" is what has caused problems with a few of us.

https://xenforo.com/community/threads/stuck-in-2fa-mode.161250/

Somewhere around here I made a suggestion that if an admin made a change to the 2FA settings for a group that it should cause a pop-up message asking the admin to confirm that they knew they were making changes to 2FA before actually saving a change to the 2FA option. It's just to easy to hit the Quick Set especially if you are new to XenForo which is when you'd be messing around with those permissions to begin with.
 
Chris D said:
You are correct and it is intended.

The option to enable two step verification is always available to every user in their options, regardless of options/permissions set. It is not possible to turn the function off. You can force it so that users have to enable it, but once they have enabled it, it is down to them to disable it if they wish to.

There are no plans to change anything here. We've had the feature for several years and never come across any situation as you describe where it is problematic. Besides anything, some of your users (and hopefully your admins) should be enabling the functionality themselves intentionally to ensure their accounts stay protected.

There's no global off switch for such a significant security feature and there are no plans to add one.
Click to expand...
That's too bad. I am here searching for answers to the same problem. This is not the answer I was hoping for.
 

Similar threads

K
  • Suggestion Suggestion
Require Two-Step verification to change Two-step verification options
Replies
2
Views
622
Wildcat Media
Wildcat Media
C
  • Question Question
XF 2.2 disable the protection layer of two-step verification
Replies
1
Views
337
duderuud
duderuud
R
  • Question Question
XF 2.2 Login two steps
Replies
9
Views
453
Robert9
R
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
585
alfaNova
alfaNova
T
  • Question Question
XF 1.5 Two-Step Verification, admin login email confirmation.
Replies
4
Views
612
The West wind
T
Top Bottom