Bypass two factor authentication without twoFactorTrustId
-
Hello if an user change his password all of his refresh tokens revoked. to better user experience not forcing relogin in current using device the https://fusionauth.io/docs/v1/tech/apis/users#change-a-users-password gives one time password to relogin in server side to access new refresh and access tokens without notifying user that's fine non mfa enabled users. If two factor authentication enabled user change his password then server side relogin with one time password to access new refresh and access tokens gives status 242 require Complete Two Factor Authentication how to bypass this step without totp
-
Hiya,
It seems you are asking how to allow a user to use MFA at all times, except when they are changing their password. That would seem to me to be exactly the right time to require MFA, but maybe I'm missing something.
The 242 return code is documented here.
If you are determined to avoid TOTP when someone is changing their password, you could write your own password change page and turn off MFA for the user when you notice they are changing their password. Then, once they've succeeded, you could turn it on again.
Hope that helps.