Why Can Only One user_support_manager Remove MFA Devices in FusionAuth?
-
We have two users assigned the role of user_support_manager, yet only one can manage and specifically remove multi-factor devices for other users. As far as we know, this is the appropriate role for facilitating that, and we cannot identify any other differences in permissions. What should we be on the lookout for, and is our assumption regarding permissions accurate?
-
You’re correct that user_support_manager is the right role, but it has a limitation: it can only remove MFA devices if the manager has the user’s MFA code or recovery codes. Only admins can disable MFA without those.
If you want to remove MFA without needing a code, you’d need to use the User API to clear the user’s MFA data. Also, confirm that both support managers have the same role assigned under their registrations in the FusionAuth application. Check this under each user’s Source tab in the Admin UI under registrations.roles.
More details: