Provide a possibility to bypass two factor auth

[sgiehl]

In the case that someone looses his possibility to generate tokens (e.g. lost his phone) there should be a possibility to bypass the two factor auth in order to be still able to login to piwik.

The possibility provided by other services is to generate a list of one time tokens.

A possibility suggest by a user would be to bypass two factor auth for specific IPs (which won't work for dynamic IPs)

[Draky50110]

Subscribing to one time token, as it is mainly used by Google or other company to bypass in case of...

[mannp]

I would also like to know the answer to this please and am not fully clear of your response Draky, could you expand a little please?

[Draky50110]

Other big websites like Google let us use bypass codes.

[mannp]

Agreed they do, so do nextcloud and others, but this plugin doesn't support it does it.

[sgiehl]

I would love to be able to add support for this, but I'm currently not able handle this. Pull Requests are welcome :)

[mannp]

Just trying to understand any potential lockout scenarios. Are we able to disable the plugin locally and re-login to recover the account?

If we edit the configs that is.

Thanks

[sgiehl]

Sure. You can disable the plugin to disable it for all accounts. Or you can remove the settings for a specific account from the database to disable it for a specific account: piwik_option table; option_name is GoogleAuthenticator.username

[mannp]

Perfect thanks and does disabling it leave the original username and pass in tact, merely removing the additional 2fa step.

So we can login as usual?

[sgiehl]

exactly. it only disables the 2Fa step.

[mannp]

That works for me, thanks :) and thanks for your work.

[jookk]

how to do it exactly, please... I am locked out, looked to tables, but cant find it

[sgiehl]

@jookk Try DELETE FROM piwik_option WHERE option_name = 'GoogleAuthenticator.username' LIMIT 1;, where you need to replace username with your own users login. Afterwards you need to set up 2FA for that user again

[jookk]

so, I tried and...

[sgiehl]

then it shouldn't be active for your user. what exactly is your problem when logging in?

[jookk]

Yes, it was active and I used it successfuly. Recently changed phone and TfA is gone. BUT, i found ./console plugins list and deactivate... So, I simply deactivated Google Auth plugin and logged in. :)