This guide is intended for use when an admin is unable to disable 2-factor from the user admin page. The easiest way to disable 2-factor is through the admin user page.
Discourse supports two types of 2-factor options, TOTP (6-digit codes rotating every 30 seconds), and security key (Yubikey, biometric, etc.). Sometimes users will misconfigure their 2-factor device, lose or reset their phone, or otherwise no longer be able to use/obtain the 2-factor. Admins can then assist in reseting this for them.
Admins should be certain to verify that the user is the one making the request. Disabling 2-factor makes an account easier to hack, so be sure a bad party isn’t requesting the reset.
It is important to note that the two 2-factor types are stored in different DB tables, so even if one is empty you may need to check the other.
-
First, you’ll need to know what user is having the issue. Obtain one of the following values from the user:
-
Access the rails console via ssh.
From local:ssh root@=SERVER_IP=
From the server:
cd /var/www/discourse sudo ./launcher enter app rails c
-
Store the user_id as a variable in the console.
- If you have the username:
id = User.find_by_username('=USERNAME=').id
- If you have the email:
id = User.find_by_email('=EMAIL=').id
- If you have the id:
id = =USER_ID=
- If you have the username:
-
Check for TOTP, and delete if needed.
UserSecondFactor.where(user_id: id) UserSecondFactor.where(user_id: id).each(&:destroy!)
-
Check for Security Keys, and delete if needed.
UserSecurityKey.where(user_id: id) UserSecurityKey.where(user_id: id).each(&:destroy!)