FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Understanding Role Permissions for Disabling 2FA in FusionAuth

    Scheduled Pinned Locked Moved Solved
    Q&A
    1
    2
    118
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We are configuring accounts for our technical support team to allow them to disable 2FA in emergencies. According to the FusionAuth documentation, this should be possible with the user_support_manager role.

      However, when attempting to disable 2FA, we are prompted to enter a One Time Password (OTP), and only the global_admin role seems able to complete the action.

      Are we misconfiguring something, or could this behavior indicate a bug? We tested this on versions 1.45.1 and 1.46.0.

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        The behavior you are experiencing is working as designed.

        Currently, only the global_admin role can bypass the OTP requirement to disable 2FA. While the user_support_manager role allows managing other user account aspects, it does not have the necessary permissions to bypass 2FA for removal.

        Feature Request Option:
        If this functionality is critical for your workflow, you could consider submitting a feature request to extend this capability to additional roles in a future release. Or review this issue and comment if it meets your needs.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post