Oops, I lost my phone. How can I OTP now?

hellekin · March 11, 2020, 11:33am

What happens if you implemented two-factor authentication with your phone and you lost it?

How to recover and use another program, e.g., pass-otp, instead?

Since one cannot login without the second factor, how to get the tokens (secret, issuer) that will allow to setup another program?

itsbhanusharma · March 11, 2020, 11:37am

You’ll have to disable 2FA through rails console. Discourse doesn’t have a built in SMS/Email based recovery mechanism as of now.

Falco · March 11, 2020, 2:26pm

Discourse have backup tokens, which are to be used if you lose your OTP device.

You can also register the OTP in multiple devices.

FIDO2 keys can also be used, and Discourse support using multiples, so you can have backup keys stored in safe places, your main one, and the ones who are backed into your device, like Android fingerprint and Windows Laptop Hello devices.

If you did neither, you will have to contact the admin team and ask then to disable 2FA on your account.

hellekin · March 11, 2020, 3:55pm

OK, can you please point to the procedure to disable 2FA from the console?

Falco · March 11, 2020, 3:56pm

Search “disable 2fa” first result says

So:

./launcher enter app
rails c
id = User.find_by(username: "YOURUSERNAME").id
UserSecondFactor.totps.where(user_id: id).each(&:destroy!)

hellekin · March 12, 2020, 10:42am

Well, actually, after following the method above, I’m left without the possibility to log in, even via email with the following message:

The selected second factor method is not enabled for your account.

I had another admin verify that the account had no 2FA enabled.

EDIT I recast the topic to bug because the proposed solution is not working.

hellekin · March 19, 2020, 11:22am

Today I looked at it again and found that:

[25] pry(main)> how.totp_enabled?
=> false
[26] pry(main)> how.backup_codes_enabled?
=> true
[27] pry(main)> how.totp_or_backup_codes_enabled?
=> true

So I tried to remove the backup codes as well, following the response above from @falco:

UserSecondFactor.backup_codes.where(user_id: id).each(&:destroy!)

Now here is the complete solution to disable OTP for a user when they lost their ways back in: you must remove both the totps entries and the backup_codes as well, so that the call to #totp_or_backup_codes_enabled? returns false.

system · April 18, 2020, 11:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2FA with OTP broken after restoring from Backup support	8	895	May 26, 2021
Cannot disable 2FA for User support	6	761	March 7, 2021
Command line disable Two Factor Authentication support	13	1790	April 24, 2020
2FA - do we have to do anything to enable it? support 2fa	12	3830	January 20, 2024
How can we disable 2FA for an user while we are using google auth2 login in Discourse? sso	2	666	July 29, 2022

Oops, I lost my phone. How can I OTP now?

Related Topics