FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Is it possible to disable two-factor without providing the two-factor code?

    Scheduled Pinned Locked Moved
    Q&A
    2
    8
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stephen
      last edited by

      Hello,

      We're implementing two-factor authentication in our application and want to provide a path for a user if they are no longer able to generate a two-factor code. This would happen if they lost their device or the device was destroyed by being thrown into a volcano like the One Ring.

      The two ways I've seen this handled in other systems are:

      • Provide an API endpoint that requires API Key Authentication and doesn't require a two-factor code so that we can develop an API endpoint that a Global Administrator can use to allow the affected user to bypass two-factor.
      • Provide one or more recovery codes that a user can enter to bypass entering the two-factor code

      I'm not sure if I'm missing a way to do either of these or there are any other recommended solutions to handle this use case.

      Thanks for helping out,
      Stephen

      1 Reply Last reply Reply Quote 1
      • danD
        dan
        last edited by

        Hiya,

        Depending on the amount of traffic, you could also just have folks contact your customer service. After verifying their identity, the admins can turn off two factor authentication for a given user, allowing them to login. Here's a forum post on how to do that: https://fusionauth.io/community/forum/topic/56/how-can-i-turn-on-two-factor-authentication

        Provide an API endpoint that requires API Key Authentication and doesn't require a two-factor code so that we can develop an API endpoint that a Global Administrator can use to allow the affected user to bypass two-factor.

        Sure, you could do that, or if you feel comfortable with the Global Administrator having access to the FusionAuth administrative user interface, just have them use the above instructions.

        Provide one or more recovery codes that a user can enter to bypass entering the two-factor code

        FusionAuth has no built in support for this, but it'd be easy enough to build, because you could build a small app to generate/store these codes (you could even store them in the user.data object so you wouldn't need a database) and then if someone provides one of the codes, the app could flip twoFactorEnabled to false via PATCH. If you think this should be part of FusionAuth (which I can see being a valid viewpoint), please file an issue.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • S
          stephen
          last edited by

          Thanks for the reply!

          I didn't realize you could turn off the two-factor by patching the user. Thanks for pointing me in the correct direction.

          1 Reply Last reply Reply Quote 1
          • S
            stephen
            last edited by stephen

            Hi Dan,

            As we continue to work through this we are trying to determine the preferred way to validate identity when disabling two-factor with the recovery code.

            The issue we are running into is there is no way to confirm their credentials with a direct call to FusionAuth and then apply an action to disable two-factor because we don't get back any JWT token before the two-factor is turned on. This makes sense given the current system, but it does present a problem in this particular scenario.

            The only way that we can think to do this is to create an endpoint that:

            • User provides their credentials and the recovery code
            • API uses the FusionAuth API to do a user login
            • API determines if the login is successful (are the credentials rejected?)
            • API determines if the user has two-factor on (is the two-factor code returned from FusionAuth?)
            • If the login is successful check to see if the recovery code that the user provided matches the one that was generated and disable two-factor

            I do not prefer to consume the users credentials directly—I would rather have the user's credentials always managed by FusionAuth. Do you have any recommendations on achieving this functionality?

            I'm going to file an issue to have this functionality directly added into FusionAuth.

            Thanks for your help!

            1 Reply Last reply Reply Quote 0
            • danD
              dan
              last edited by

              So it sounds like you're saying you want the user to be checked two times:

              • they can login successfully (even if they end up at the dead end of the two FA process)
              • they provide some out of band info (answer to a question on file or something like that) to an admin user

              And you'd prefer for them to login using the FusionAuth hosted pages, so your application isn't handling any credentials ever.

              I was thinking maybe webhooks would work, but there's not one for 'login completed except for two factor auth', so you'd have no way of knowing if they could login successfully.

              Other than a screenshare (where a person looks to see if someone has signed in successfully to the hosted pages), which probably isn't a scalable option, I don't see any way, other than what you propose, to prove someone can provide their credentials and get prompted for the two factor code.

              The only other solution that jumps to mind is that you could put an image or code or something unique to the login attempt in the OAuth two-factor themed page. And then the user could provide that as "proof" that they were able to login to at least that page. Maybe a string encrypted with the time and a secret? You'd have to build that image generator out and provide a way for your admin users to validate it.

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 0
              • danD
                dan
                last edited by

                I added a github issue related to this discussion: https://github.com/FusionAuth/fusionauth-issues/issues/871

                --
                FusionAuth - Auth for devs, built by devs.
                https://fusionauth.io

                1 Reply Last reply Reply Quote 0
                • S
                  stephen
                  last edited by

                  Thanks for adding an issue for this

                  1 Reply Last reply Reply Quote 1
                  • danD
                    dan
                    last edited by

                    No worries.

                    Please upvote it if you are interested in this moving toward the front of the work queue.

                    --
                    FusionAuth - Auth for devs, built by devs.
                    https://fusionauth.io

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post