Open pi-sigma opened 4 months ago
You can also delete the TOTP/WebAuthn device in the admin for that user and then everything works as expected again.
I'm a little bit hesitant to special-casing this in the login flow since it introduces a risk for potential security issues if mistakes are made in how this is handled.
Sounds right, it adds an extra step, but it's only relevant for testing this particular feature anyway.
2fa can be disabled for staff + superusers that don't have a TOTP device set up, but as as soon as you enable 2fa, you're stuck with it for that user (in the sense that it cannot be disabled programmatically).
Not a big hassle for development purposes, as you can just create a new superuser for testing out 2fa. However, it's not intuitive and should be either fixed or documented at some point.