Oops, I lost my phone. How can I OTP now?

What happens if you implemented two-factor authentication with your phone and you lost it?

How to recover and use another program, e.g., pass-otp, instead?

Since one cannot login without the second factor, how to get the tokens (secret, issuer) that will allow to setup another program?

2 Likes

You’ll have to disable 2FA through rails console. Discourse doesn’t have a built in SMS/Email based recovery mechanism as of now.

4 Likes

Discourse have backup tokens, which are to be used if you lose your OTP device.

You can also register the OTP in multiple devices.

FIDO2 keys can also be used, and Discourse support using multiples, so you can have backup keys stored in safe places, your main one, and the ones who are backed into your device, like Android fingerprint and Windows Laptop Hello devices.

If you did neither, you will have to contact the admin team and ask then to disable 2FA on your account.

12 Likes

OK, can you please point to the procedure to disable 2FA from the console?

2 Likes

Search “disable 2fa” first result says

So:

./launcher enter app
rails c
id = User.find_by(username: "YOURUSERNAME").id
UserSecondFactor.totps.where(user_id: id).each(&:destroy!)
9 Likes

Well, actually, after following the method above, I’m left without the possibility to log in, even via email with the following message:

The selected second factor method is not enabled for your account.

I had another admin verify that the account had no 2FA enabled.


EDIT I recast the topic to #bug because the proposed solution is not working.

1 Like

Today I looked at it again and found that:

[25] pry(main)> how.totp_enabled?
=> false
[26] pry(main)> how.backup_codes_enabled?
=> true
[27] pry(main)> how.totp_or_backup_codes_enabled?
=> true

So I tried to remove the backup codes as well, following the response above from @falco:

UserSecondFactor.backup_codes.where(user_id: id).each(&:destroy!)

Now here is the complete solution to disable OTP for a user when they lost their ways back in: you must remove both the totps entries and the backup_codes as well, so that the call to #totp_or_backup_codes_enabled? returns false.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.