Disable 2fa not working as expected

maykinmedia / maykin-2fa

Multi-factor authentication layer on top of django-two-factor-auth

MIT License

0 stars 0 forks source link

Disable 2fa not working as expected #14

Open pi-sigma opened 4 months ago

pi-sigma commented 4 months ago

2fa can be disabled for staff + superusers that don't have a TOTP device set up, but as as soon as you enable 2fa, you're stuck with it for that user (in the sense that it cannot be disabled programmatically).

Not a big hassle for development purposes, as you can just create a new superuser for testing out 2fa. However, it's not intuitive and should be either fixed or documented at some point.

sergei-maertens commented 4 months ago

You can also delete the TOTP/WebAuthn device in the admin for that user and then everything works as expected again.

I'm a little bit hesitant to special-casing this in the login flow since it introduces a risk for potential security issues if mistakes are made in how this is handled.

pi-sigma commented 4 months ago

Sounds right, it adds an extra step, but it's only relevant for testing this particular feature anyway.