Changing a users password without a two factor code while two factor is enabled
-
I am attempting to integrate two factor authentication into a project, but I'm not sure what to do when updating the change password feature. My objective is for the existing flow to appear identical to what it was without two factor, with no extra steps for the user if they have two factor enabled. That means not sending a two factor code.
My understanding is that to change a password when 2factor is enabled one must also send a trust token, which is generated when completing a two factor authentication, which in turn can only be completed with a code sent to the user.
My question is, is there a way to change the users password without sending them a code while two factor is enabled?
-
Hi @pedroparente ,
If you can't make a workflow work for your use case, the usual suggestion is to drop down to using the APIs.
In this case, you could build your own page which let users change their password and use the User Update API to directly change their password.
Of course, that's more work and circumvents the security posture that FusionAuth provides.
There's no way to do this within the hosted login pages currently, but you are welcome to file an issue explaining your use case.
