Cannot disable 2FA for User

Brandon_Martus · February 4, 2021, 10:23pm

We have a user with 2FA enabled, and we cannot disable it for them.

Clicking the ‘Disable’ button on their account gives us:

(You supplied invalid parameters to the request: Discourse::InvalidParameters)

There is no row in the users_second_factors table for the user_id. I’ve tried adding a dummy row, which lets me click the ‘Disable’ button without error, but just deletes my dummy row and still leaves 2FA enabled for the user.

I’ve also tried the rake users:disable_2fa[username] rake task, which says 2FA disabled for user, but still shows Two Factor Authentication: Yes on the user’s profile in admin.

Anything else I can try?

omarfilip · February 5, 2021, 2:53pm

Try via the rails console:

jomaxro · February 5, 2021, 12:47am

It’d also be good to know what version of Discourse you are running. There have been fixes for the inability to disable 2FA via the UI since the first release of 2FA.

Brandon_Martus · February 5, 2021, 2:53pm

Thanks @omarfilip … I did the UserSecondFactor delete but didn’t know about UserSecurityKey.

This user had no UserSecondFactor record, but they did have a UserSecurityKey record.

Once I removed that, their profile shows ‘Two Factor Authenciation: No’ – thanks!

@jomaxro We’re on 2.5.0.beta4 ( 8d3900c6da )

Seems like there still is an issue where I should be able to do this via the UI, but get the invalid parameters issue, possibly due to the missing UserSecondFactor record?

Falco · February 5, 2021, 4:31pm

That version is old and unsupported, update as soon as possible.

jomaxro · February 5, 2021, 7:57pm

Besides being old and unsupported, you’re also missing over a dozen security fixes, so your site is vulnerable. Please do upgrade.