I can’t disable 2fa on my account here on meta. When I click disable it suggests that it’s disabled, but when I reload, 2fa is still enabled, with all of my keys and such. I even get an email saying that it’s been disabled, but it’s not.
This might be related to having both a primary and a secondary email address? When I tried to log in on my phone just now it claimed that it needed to verify my literatecomputing.com email address. I thought that might un-do whatever twisted edge case has put me here, but alas, I 2fa is still enabled.
I got my phone logged in again, so it likely won’t bother me again for some months.
This seems like a legit bug, though it’s ilkely some edge case that’s a result of something that happened in the early days of 2fa.
Yeah, this is just a problem with security keys. Hitting the Disable button on the main Second Factor management page of your user profile only disables Token-based Authenticators when it should be disabling all of the Second Factor methods.
Noting that you can disable the keys by selecting the little pencil icon button next to the key name and hitting the trash can button on the modal:
I’ve had this bug on my list for a while, so this is my fault for dropping the ball. I think one thing that happened was that I saw this and didn’t look close enough:
I thought it likely fixed the issue and intended to prove that out, but I never got around to it. The above fix was from the admin perspective. I think the fix from the user perspective should be very similar. In any case, I’ll be sure to get a fix in the pipeline this week.
