- Be an admin on an up-to-date Discourse site with one or more two-factor keys enabled, such as security keys and authenticator app.
- Be able to log in and out successfully with those two-factor keys.
- Ensure that the site setting for enforcing two-factor logins is set to “no”.
- Delete all of the two-factor items from your (admin) account using the standard UI tools in the Security tab of the admin’s user profile preferences.
- Log out.
- Log in to site with username or password; access granted; or
- Log in to site with “email me a link”; access granted.
Both “expected” scenarios fail with an error message, and login is not allowed:
The selected two-factor method is not enabled for your account.
There is no further way to log in with the admin’s account.
It is worth noting that I am not actually locked out of the site in question; I had another session still active on another computer and was able to go over to that session and re-add a token-based authenticator to get back in. However, had I not had another session I would have been “fully” locked out.