Can't disable 2fa

I can’t disable 2fa on my account here on meta. When I click disable it suggests that it’s disabled, but when I reload, 2fa is still enabled, with all of my keys and such. I even get an email saying that it’s been disabled, but it’s not.

This might be related to having both a primary and a secondary email address? When I tried to log in on my phone just now it claimed that it needed to verify my literatecomputing.com email address. I thought that might un-do whatever twisted edge case has put me here, but alas, I 2fa is still enabled.

I got my phone logged in again, so it likely won’t bother me again for some months.

This seems like a legit bug, though it’s ilkely some edge case that’s a result of something that happened in the early days of 2fa.

I’ve reported this before, but we all just :man_shrugging:

Can we repro this @tshenry?

2 Likes

@pfaffman what are the odds that it’s isolated to a particular type of 2fa?

I just tried to repro this and my TOTP 2fa was disabled immediately.

Yeah, this is just a problem with security keys. Hitting the Disable button on the main Second Factor management page of your user profile only disables Token-based Authenticators when it should be disabling all of the Second Factor methods.

Noting that you can disable the keys by selecting the little pencil icon button next to the key name and hitting the trash can button on the modal:
Screen Shot 2020-08-11 at 10.15.48 AM

I’ve had this bug on my list for a while, so this is my fault for dropping the ball. I think one thing that happened was that I saw this and didn’t look close enough:

https://github.com/discourse/discourse/pull/10144

I thought it likely fixed the issue and intended to prove that out, but I never got around to it. The above fix was from the admin perspective. I think the fix from the user perspective should be very similar. In any case, I’ll be sure to get a fix in the pipeline this week.

7 Likes

100%

I deleted them one at a time and it Just Worked. Not sure why that didn’t occur to me before. Sorry about that.

So, if there is a bug, it’s something about the TURN THEM ALL OFF option.

4 Likes

This should be fixed now :slight_smile:

https://github.com/discourse/discourse/pull/10485

4 Likes

This topic was automatically closed after 29 hours. New replies are no longer allowed.