This guide provides instructions for administrators on how to disable two-factor authentication (2FA) via the console.
Required user level: System Admin
Console access required
This guide should only be used when 2FA cannot be disabled from the user admin page.
Discourse supports two types of 2-factor options, TOTP (6-digit codes rotating every 30 seconds), and security key (Yubikey, biometric, etc.). Sometimes users will misconfigure their 2-factor device, lose or reset their phone, or otherwise no longer be able to use/obtain the 2-factor. Admins can then assist in reseting this for them.
Admins should be certain to verify that the user is the one making the request. Disabling 2-factor makes an account easier to hack, so be sure a bad party isnโt requesting the reset.
Disabling 2FA for a user
It is important to note that the two 2-factor types are stored in different DB tables, so even if one is empty you may need to check the other.
-
First, youโll need to know what user is having the issue. Obtain one of the following values from the user:
-
Access the rails console via ssh.
From your local machine:ssh root@=SERVER_IP=
From the server console:
cd /var/www/discourse sudo ./launcher enter app rails c
-
Store the user_id as a variable in the console.
- If you have the username:
id = User.find_by_username('=USERNAME=').id
- If you have the email:
id = User.find_by_email('=EMAIL=').id
- If you have the id:
id = =USER_ID=
- If you have the username:
-
Check for TOTP, and delete if needed.
UserSecondFactor.where(user_id: id) UserSecondFactor.where(user_id: id).each(&:destroy!)
-
Check for Security Keys, and delete if needed.
UserSecurityKey.where(user_id: id) UserSecurityKey.where(user_id: id).each(&:destroy!)
Last edited by @SaraDev 2024-09-17T23:51:14Z
Check document
Perform check on document: