FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Why Can Only One user_support_manager Remove MFA Devices in FusionAuth?

    Scheduled Pinned Locked Moved
    Frequently Asked Questions (FAQ)
    mfa
    1
    2
    5
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We have two users assigned the role of user_support_manager, yet only one can manage and specifically remove multi-factor devices for other users. As far as we know, this is the appropriate role for facilitating that, and we cannot identify any other differences in permissions. What should we be on the lookout for, and is our assumption regarding permissions accurate?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        You’re correct that user_support_manager is the right role, but it has a limitation: it can only remove MFA devices if the manager has the user’s MFA code or recovery codes. Only admins can disable MFA without those.

        If you want to remove MFA without needing a code, you’d need to use the User API to clear the user’s MFA data. Also, confirm that both support managers have the same role assigned under their registrations in the FusionAuth application. Check this under each user’s Source tab in the Admin UI under registrations.roles.

        More details:

        Update a User via API

        FusionAuth Admin UI Roles

        1 Reply Last reply Reply Quote 0
        • First post
          Last post