After using the trydiscord domain and then configuring the real custom domain to use, 2fa breaks. I believe fido2 associates domains with the key.
Also another admin can’t disable the key, it becomes “invalid parameters” (same as Can't turn off 2 factor). Trying to migrate again to the same custom domain will also be denied because “Hostname already exists.”.
I’m afraid there is no permanent solution available at this time but you can contact the Discourse support email mentioned in your discourse admin area, they may be able to disable 2fa for all users.
It was solved by support by removing the security keys on my account. Don’t change domain name while having 2fa
This should be a kind of common issue as you would change the domain when wanting to upgrade from discourse trial.
Oh and don’t loose access to your e-mail as that’s when you can request to remove security keys
FWIW, you can use the backup keys. I’ve done this on staging sites where they have 2fa turned on and the production database gets restored to the staging site with its own domain name.
@balboah quick update, we have this assigned internally and will come up with some better process for moving from “trydiscourse.com” domain to real domain that accounts for this issue.
Yeah I might have not paid attention. But I did add 2 keys as a backup and assumed other admins could recover my account.
This was the physical key flow, not authenticator code
So there’s a way to change the 2fa records to match the new domain? Ooh, that sounds like one more way to make a restore more complicated!
But if that’s the case, it would be nice to be able to do that on staging sites that restore a production database periodically. I can try to have a look at that in a week or two, either in a plugin or a PR.