Disable 2FA via console

This guide is intended for use when an admin is unable to disable 2-factor from the user admin page. The easiest way to disable 2-factor is through the admin user page.


Discourse supports two types of 2-factor options, TOTP (6-digit codes rotating every 30 seconds), and security key (Yubikey, biometric, etc.). Sometimes users will misconfigure their 2-factor device, lose or reset their phone, or otherwise no longer be able to use/obtain the 2-factor. Admins can then assist in reseting this for them.

:warning: Admins should be certain to verify that the user is the one making the request. Disabling 2-factor makes an account easier to hack, so be sure a bad party isn’t requesting the reset.

It is important to note that the two 2-factor types are stored in different DB tables, so even if one is empty you may need to check the other.

  1. First, you’ll need to know what user is having the issue. Obtain one of the following values from the user:

  2. Access the rails console via ssh.


    From local:

    ssh root@=SERVER_IP=
    

    From the server:

    cd /var/www/discourse
    sudo ./launcher enter app
    rails c
    
  3. Store the user_id as a variable in the console.

    • If you have the username:
      id = User.find_by_username('=USERNAME=').id
      
    • If you have the email:
      id = User.find_by_email('=EMAIL=').id
      
    • If you have the id:
      id = =USER_ID=
      
  4. Check for TOTP, and delete if needed.

    UserSecondFactor.where(user_id: id)
    UserSecondFactor.where(user_id: id).each(&:destroy!)
    
  5. Check for Security Keys, and delete if needed.

    UserSecurityKey.where(user_id: id)
    UserSecurityKey.where(user_id: id).each(&:destroy!)
    
11 Likes