Cannot disable 2FA for User

We have a user with 2FA enabled, and we cannot disable it for them.

Clicking the ‘Disable’ button on their account gives us:
image
(You supplied invalid parameters to the request: Discourse::InvalidParameters)

There is no row in the users_second_factors table for the user_id. I’ve tried adding a dummy row, which lets me click the ‘Disable’ button without error, but just deletes my dummy row and still leaves 2FA enabled for the user.

I’ve also tried the rake users:disable_2fa[username] rake task, which says 2FA disabled for user, but still shows Two Factor Authentication: Yes on the user’s profile in admin.

Anything else I can try?

Try via the rails console:

3 Likes

It’d also be good to know what version of Discourse you are running. There have been fixes for the inability to disable 2FA via the UI since the first release of 2FA.

3 Likes

Thanks @omarfilip … I did the UserSecondFactor delete but didn’t know about UserSecurityKey.

This user had no UserSecondFactor record, but they did have a UserSecurityKey record.

Once I removed that, their profile shows ‘Two Factor Authenciation: No’ – thanks!

@jomaxro We’re on 2.5.0.beta4 ( 8d3900c6da )

Seems like there still is an issue where I should be able to do this via the UI, but get the invalid parameters issue, possibly due to the missing UserSecondFactor record?

That version is old and unsupported, update as soon as possible.

2 Likes

Besides being old and unsupported, you’re also missing over a dozen security fixes, so your site is vulnerable. Please do upgrade.

1 Like