Admin locked out of site after deleting two-factor keys from prefs

Steps to reproduce

  1. Be an admin on an up-to-date Discourse site with one or more two-factor keys enabled, such as security keys and authenticator app.
  2. Be able to log in and out successfully with those two-factor keys.
  3. Ensure that the site setting for enforcing two-factor logins is set to “no”.
  4. Delete all of the two-factor items from your (admin) account using the standard UI tools in the Security tab of the admin’s user profile preferences.
  5. Log out.

Expected behavior

  1. Log in to site with username or password; access granted; or
  2. Log in to site with “email me a link”; access granted.

Actual behavior

Both “expected” scenarios fail with an error message, and login is not allowed:

The selected two-factor method is not enabled for your account.

There is no further way to log in with the admin’s account.


It is worth noting that I am not actually locked out of the site in question; I had another session still active on another computer and was able to go over to that session and re-add a token-based authenticator to get back in. However, had I not had another session I would have been “fully” locked out.

4 Likes

Thanks for reporting this. I’ve had it bookmarked for the past few days, but haven’t got around to testing it yet. I assume that what you’re reporting is correct, but will take a close look at it next week.

2 Likes

I guess this is the bug? We should not allow that if your site setting says that all admins must have 2fa enabled.

I think you are not fully locked out, you can use the console to recover now, but we should not make it easy for you to create a pathological situation.

I’m not quite sure that’s the right logic? I didn’t have enforce second factor on anything but the default value of “no” and it’s not really safe to assume that every installation has more than one admin account. It seems that once the 2FA keys are removed from the profile, some other flag is not being removed somewhere…

I think you are not fully locked out, you can use the console to recover now

I suppose this is a valid emergency workaround although it may be beyond the skills of an admin who does not also manage their server and they might have to track down a sysadmin.

2 Likes

I’m wondering if the recovery codes were left alone. Can you try entering one of those?

1 Like