How do I enable Associated Accounts with 2FA?

nedbat · September 25, 2019, 3:31pm

On my site (https://discuss.openedx.org), I don’t see Associated Accounts when I go to edit my profile, like I do when I edit my profile here. But I can’t see anything in settings or plugins that looks like something I have to enable. What am I missing?

Falco · September 28, 2019, 12:51pm

It’s suppressed when 2FA is enabled.

nedbat · September 28, 2019, 2:18pm

Maybe the problem here is I’m misunderstanding what they are for. I wanted a way for people to add their Twitter and GitHub accounts so that other users could see them. For example, to follow people they meet in the forum.

But it’s becoming clearer that the fields I see in my profile here are really only for authentication, and so are not displayed to others. In fact, in the admin panels, they are treated with the same secrecy as email address, with an explicit button to view.

If I want publicly visible Twitter and GitHub handles, do I have to add them as custom user fields myself?

codinghorror · September 28, 2019, 7:18pm

Traditionally that is done in the About Me field as free text, so yes.

Falco · September 29, 2019, 3:20am

You can try Link custom user field to external website if that is what you need.

dylanh724 · April 13, 2020, 7:38am

Although a necro bump, this is super relevant and at the top of Google right now:

Is there a 2020 solution for this? Currently, existing forum users that donate via Patreon are locked out from any Discourse rewards. This is a pretty big problem since 2FA is super important and growing in popularity (as it should). We don’t want users to essentially be punished for adding 2FA~

Can’t we just get users to confirm 2fa before connecting any link? It seems outlandish to just remove this feature completely. I have 2FA enabled on Discord, too, for example – should I not be able to connect any account after that?

Falco · April 13, 2020, 4:02pm

The Patreon plugin doesn’t need the social login for it to work. As long as the email match, local logins will work just as fine and the emails will be assigned to their correct groups.

dylanh724 · April 23, 2020, 6:19am

Ohhhh… can we add that to Patreon OP? That’s pretty important. I couldn’t figure out why this guy couldn’t get linked and didn’t know where to turn. This may help others~

However, associated account linking is still pretty nice - some would even say necessary. I’m sure not everyone uses the same email for everything (I don’t) for different reasons. Some may also use aliases (eg, me+someAlias@gmail.com):

Can we get associated account linking even when someone 2FA’s up? Feels like a pretty big downgrade considering how important 2FA is; not the most encouraging to enable it if you lose features.

rokejulianlockhart · April 17, 2026, 1:52pm

@dylanh724, that’s my situation. I don’t merely utilise RFC 5233 sub-addresses, but different local parts (albeit, with the same subdomain) per service:

github.com/nextcloud/contacts

Provide RegEx fields correlated with each e-mail field, for plus addresses.

opened 04:40PM - 22 Jul 23 UTC

RokeJulianLockhart

enhancement 0. Needs triage

### Is your feature request related to a problem? Please describe. I utilise an… obfuscator for all of my e-mail addresses. [^1] Because it offers infinite aliases, I use a different alias *every* time I give my e-mail address to someone. However, I ensure that they're all under the `@rokejulianlockhart.addy.io` domain, so that they can be identified as me by a human. However, this isn't good enough. I use different aliases to combat spam, not be anonymous. [^1]: [`github.com/anonaddy/anonaddy`](https://github.com/anonaddy/anonaddy/blob/16933763d0c37c97068fe05b2e7e9e57ca4d860c/README.md#what-is-a-standard-alias) Additionally, when messaging others, I ensure that I add an RFC 5233-compliant sub-address with my name to their e-mail address, [^2] so that they can filter all messages from me (even if I'm using a different alias for my own filtering purposes). Others use the same when communicating with me, especially family. The current identification system doesn't take sub addresses into account whatsoever. [^2]: [`meta.discourse.org/t/129490/9`](https://meta.discourse.org/t/how-do-i-enable-associated-accounts-with-2fa/129490/9?u=rokejulianlockhart) ### Describe the solution you'd like I should therefore be able to set `RY7I0I+RY7I0R@rokejulianlockhart.addy.io` as an e-mail address, and beneath it add, for instance, the undermentioned: ```regex [A-Za-z0-9]+\+[A-Za-z0-9]+@RokeJulianLockhart\.Addy\.IO ``` …in another input form to ensure that Nextcloud identifies any (in this case sub-addressed) alias as me. ### Describe alternatives you've considered The sole current alternative is to list literal tens of thousands of aliases as myself, which is insane. It also wouldn't work, because the service generates a new alias when someone else uses one, so I'd have to retroactively add those whenever someone else uses one. It also wouldn't account for sub-addresses. ### Additional context Like most more powerful features of Nextcloud, this only *need* be visible when clicked on. Adding a button beside each e-mail address to show a form which allows the user to enter custom regex is enough. Additionally requested at: 1. [x] <del>[`feedbackportal.microsoft.com/feedback/idea/ed4261f8-af28-ee11-a81c-6045bd8534ad`](https://feedbackportal.microsoft.com/feedback/idea/ed4261f8-af28-ee11-a81c-6045bd8534ad#:~:text=Allow%20specifying%20regex%20to%20match%20an%20e%2Dmail%20address%20to%20a%20contact.)</del> 1. [x] [`discussions.apple.com/thread/255016441`](https://discussions.apple.com/thread/255016441?sortBy=rank#:~:text=Allow%20specifying%20regex%20to%20match,%20%20%20%20https://developer.apple.com/forums/thread/734290.) 1. [x] [`developer.apple.com/forums/thread/734290`](https://developer.apple.com/forums/thread/734290?answerId=801868022#801868022:~:text=Is%20your%20feature%20request%20related,%20%20%20%20https://github.com/nextcloud/contacts/issues/3530%23issue%2D1816825315.) 1. [x] [`bugzilla.mozilla.org/show_bug.cgi?id=1845009#c0`](https://bugzilla.mozilla.org/show_bug.cgi?id=1845009#c0:~:text=User%20Agent:%20Mozilla/5.0%20(X11;%20Linux,case%20sub%2Daddressed)%20alias%20as%20me.)

Others utilise different local parts and a generic domain that doesn’t relate to them, for which this cannot even theoretically be supported any other way.

Consequently, I want to explain that the undermentioned is nonsensical:

I’ve 2FA enabled. Currently, via TOTP, but shall be via CTAP1, when the undermentioned has been resolved:

This is solely for username-plus-password entry. Instead, I’ve also CTAP2 1FA active for the account. It’s also active for all possible OAuth alternatives, thereby rendering the stated rationale for preventing connecting alternative SSO options quite outdated.

It’s also quite confusing for someone who isn’t aware of the restriction:

Consequently, I advise that this not be the default, especially whilst the undermentioned remains:

That, plus the general dissuasion toward 2FA, means that it’s a net security negative.

Topic		Replies	Views
How do existing Discourse end-users link Patreon? Support patreon	8	1739	May 10, 2024
Associated Accounts disabled when secondFactor is enabled Support	0	363	April 30, 2022
Why is 2FA incompatible with Associated Accounts? Support 2fa	2	89	September 17, 2025
Is it impossible to remove Associated Accounts? Support	13	802	May 14, 2022
Social account links for admin? Support	3	362	May 12, 2022

How do I enable Associated Accounts with 2FA?

Related topics