2fa security key breaks when migrating to custom domain

After using the trydiscord domain and then configuring the real custom domain to use, 2fa breaks. I believe fido2 associates domains with the key.

Also another admin can’t disable the key, it becomes “invalid parameters” (same as Can't turn off 2 factor). Trying to migrate again to the same custom domain will also be denied because “Hostname already exists.”.

My account is then bricked, please advice

1 Like

maybe you could try this:

this is the managed discourse paid plan migration. So I’m afraid I don’t think I have that low level access

1 Like

I’m afraid there is no permanent solution available at this time but you can contact the Discourse support email mentioned in your discourse admin area, they may be able to disable 2fa for all users.

2 Likes

I think so too. If you don’t have backup keys you’ll need to contact support.

It was solved by support by removing the security keys on my account. Don’t change domain name while having 2fa :slight_smile:
This should be a kind of common issue as you would change the domain when wanting to upgrade from discourse trial.

Oh and don’t loose access to your e-mail as that’s when you can request to remove security keys :wink:

5 Likes

FWIW, you can use the backup keys. I’ve done this on staging sites where they have 2fa turned on and the production database gets restored to the staging site with its own domain name.

2 Likes

@balboah quick update, we have this assigned internally and will come up with some better process for moving from “trydiscourse.com” domain to real domain that accounts for this issue.

3 Likes

Yeah I might have not paid attention. But I did add 2 keys as a backup and assumed other admins could recover my account.
This was the physical key flow, not authenticator code

2 Likes