Why is 2FA incompatible with Associated Accounts?

It seems 2FA is mutually exclusive with associated accounts:

Why is this?

We’d like our users to add an external OpenID Connect service, but currently they have to make their accounts less secure to do so.

Nobody has an opinion on the internet?

Well, the reason being is that your associated accounts can also be compromised, and AFAIK associated accounts bypass the 2FA restriction on forum accounts. That is why 2FA suppresses associated accounts. Associated accounts can be compromised, especially without 2FA allowing bad-actors to therefore, log into your forum account as well.

However, there is a site setting you can modify to stop 2FA-accounts from suppressing associated account logins. It’s named Enforce second factor on external auth, switch the setting so it’s unchecked. Unless your external auth enforces 2FA and is secure, then I don’t recommend you disabling this setting.

The image describes features related to Enforce second factor on external auth, outlining two functionalities: bypassing non-TFA logins when TFA is forced and ensuring twice-factor authentication confirmation when the setting is disabled. (Captioned by AI)625×162 7.37 KB

If you want to have people log in via your OpenID Connect service only, then you can disable the site setting Enable local logins. Keep in mind of the warning stating WARNING: if disabled, you may be unable to log in if you have not previously configured at least one alternate login method.

image657×106 4.13 KB