Forced Two-Factor Authentication - Even when disabled

[MatheusCampello]

Description:

When adding validated users using rest-api or via interface, the two factor authentication is being forced even when 2fa is disabled.

Steps to reproduce:

1. Go to 'Accounts'
2. Disable Two-Factor authentications with TOTP
3. Disable Two Factor Authentication via Email
4. Click Salve changes
5. Add new user with "validated email" checked
6. Try to login

Expected behavior:

When disabling two-factor authentication, it should not be required to enter a two-factor authentication when logging in.

Actual behavior:

It doesn't matter if you disable the two-factor authentication. The server is always forcing it.

Server Setup Information:

• Version of Rocket.Chat Server: 3.14.0
• Operating System: Centos 7
• Deployment Method: tar
• Number of Running Instances: 1

[strike65]

Same here, V. 3.13.1

[iori57]

Same here, v 3.14.2

I've set 3 settings below to false in db.rocketchat_settings:

• Accounts_TwoFactorAuthentication_Enabled
• Accounts_TwoFactorAuthentication_By_Email_Enabled
• Accounts_TwoFactorAuthentication_Enforce_Password_Fallback

Still getting this error when trying to do a POST to /api/v1/users.update

2021-05-31T04:40:15.110458353Z   data: {
2021-05-31T04:40:15.110462753Z     success: false,
2021-05-31T04:40:15.110466953Z     error: 'TOTP Invalid [totp-invalid]',
2021-05-31T04:40:15.110471353Z     errorType: 'totp-invalid',
2021-05-31T04:40:15.110475253Z     details: { method: 'password' }
2021-05-31T04:40:15.110479754Z   }

[sofiabrown]

any resolution to this ?

[xcskier56]

I am having this issue as well.

1. I enabled 2FA
2. I created a user and then realized that 2FA was required
3. I disabled 2FA in admin panel
4. I created a new user
5. New user still prompted for 2FA after login & REST API request

[xcskier56]

After updating to 4.8.4 this has resolved for me

[aqibbangash]

Facing the same issue on 6.2.8