Disable MFA for user via API

Alex Patterson

Is there a way to disable a given user's MFA method via the APIs without requiring an authenticator code?

This would be useful when a user had something like Google Authenticator and switched devices without syncing to the cloud.

Alex Patterson

This is possible using the user API

https://fusionauth.io/docs/v1/tech/apis/users

First GET the current user, identify the two-factor method you want to disable. Below you can see where the twoFactor method has one called "authenticator"

Example:

{
  "user": {
...
    "twoFactor": {
      "methods": [
        {
          "authenticator": {
            "algorithm": "HmacSHA1",
            "codeLength": 6,
            "timeStep": 30
          },
          "id": "35VW",
          "method": "authenticator"
        },
...

Remove the object for "authenticator" and then then make a PUT call against the same User object to update.

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Please note:

This will allow you to administratively remove a 2FA method from a specific user, and it will leave the recovery codes intact if there is at least one remaining 2FA method configured for the user. If you only have one configured method, and you remove it, the recovery codes will be cleared, and then re-generated next time you enable 2FA on the user.