FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Bypass two factor authentication without twoFactorTrustId

    Scheduled Pinned Locked Moved
    Q&A
    2
    2
    560
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jogiprasadpakki
      last edited by

      Hello if an user change his password all of his refresh tokens revoked. to better user experience not forcing relogin in current using device the https://fusionauth.io/docs/v1/tech/apis/users#change-a-users-password gives one time password to relogin in server side to access new refresh and access tokens without notifying user that's fine non mfa enabled users. If two factor authentication enabled user change his password then server side relogin with one time password to access new refresh and access tokens gives status 242 require Complete Two Factor Authentication how to bypass this step without totp

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hiya,

        It seems you are asking how to allow a user to use MFA at all times, except when they are changing their password. That would seem to me to be exactly the right time to require MFA, but maybe I'm missing something.

        The 242 return code is documented here.

        If you are determined to avoid TOTP when someone is changing their password, you could write your own password change page and turn off MFA for the user when you notice they are changing their password. Then, once they've succeeded, you could turn it on again.

        Hope that helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post