• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Understanding Role Permissions for Disabling 2FA in FusionAuth

Scheduled Pinned Locked Moved Solved
Q&A
1
2
508
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wesley
    last edited by 30 Jan 2025, 21:23

    We are configuring accounts for our technical support team to allow them to disable 2FA in emergencies. According to the FusionAuth documentation, this should be possible with the user_support_manager role.

    However, when attempting to disable 2FA, we are prompted to enter a One Time Password (OTP), and only the global_admin role seems able to complete the action.

    Are we misconfiguring something, or could this behavior indicate a bug? We tested this on versions 1.45.1 and 1.46.0.

    W 1 Reply Last reply 30 Jan 2025, 21:26 Reply Quote 0
    • W
      wesley @wesley
      last edited by 30 Jan 2025, 21:26

      The behavior you are experiencing is working as designed.

      Currently, only the global_admin role can bypass the OTP requirement to disable 2FA. While the user_support_manager role allows managing other user account aspects, it does not have the necessary permissions to bypass 2FA for removal.

      Feature Request Option:
      If this functionality is critical for your workflow, you could consider submitting a feature request to extend this capability to additional roles in a future release. Or review this issue and comment if it meets your needs.

      1 Reply Last reply Reply Quote 0
      • W wesley has marked this topic as solved on 30 Jan 2025, 21:26
      2 out of 2
      • First post
        2/2
        Last post