2FA can be disabled without verifying 2FA token

born05 / craft-twofactorauthentication

Craft plugin for two-factor or two-step login using Time Based OTP.

MIT License

36 stars 26 forks source link

Closed Zae closed 1 year ago

Zae commented 1 year ago

It's possible to disable a users 2FA authentication status if the user is already logged in, for example when a users forgets to logout.

Is it possible to ask for a valid 2FA token when disabling 2FA?

roelvanhintum commented 1 year ago

No, you currently cannot verify with a 2fa token when disabling.

Zae commented 1 year ago

Is this something that could be added to the roadmap of the plugin?

roelvanhintum commented 1 year ago

Sorry @Zae, I think Craft CMS itself is going to have 2FA in a short time, so there isn't much of a roadmap anymore.

Zae commented 1 year ago

HI @roelvanhintum ,

Thanks for letting me know! I'll just enable forceBackEnd until that option become available in craft then!