Is it possible to disable two-factor without providing the two-factor code?
We're implementing two-factor authentication in our application and want to provide a path for a user if they are no longer able to generate a two-factor code. This would happen if they lost their device or the device was destroyed by being thrown into a volcano like the One Ring.
The two ways I've seen this handled in other systems are:
- Provide an API endpoint that requires API Key Authentication and doesn't require a two-factor code so that we can develop an API endpoint that a Global Administrator can use to allow the affected user to bypass two-factor.
- Provide one or more recovery codes that a user can enter to bypass entering the two-factor code
I'm not sure if I'm missing a way to do either of these or there are any other recommended solutions to handle this use case.
Thanks for helping out,
Depending on the amount of traffic, you could also just have folks contact your customer service. After verifying their identity, the admins can turn off two factor authentication for a given user, allowing them to login. Here's a forum post on how to do that: https://fusionauth.io/community/forum/topic/56/how-can-i-turn-on-two-factor-authentication
Provide an API endpoint that requires API Key Authentication and doesn't require a two-factor code so that we can develop an API endpoint that a Global Administrator can use to allow the affected user to bypass two-factor.
Sure, you could do that, or if you feel comfortable with the Global Administrator having access to the FusionAuth administrative user interface, just have them use the above instructions.
Provide one or more recovery codes that a user can enter to bypass entering the two-factor code
FusionAuth has no built in support for this, but it'd be easy enough to build, because you could build a small app to generate/store these codes (you could even store them in the
user.dataobject so you wouldn't need a database) and then if someone provides one of the codes, the app could flip
twoFactorEnabledto false via PATCH. If you think this should be part of FusionAuth (which I can see being a valid viewpoint), please file an issue.
Thanks for the reply!
I didn't realize you could turn off the two-factor by patching the user. Thanks for pointing me in the correct direction.
As we continue to work through this we are trying to determine the preferred way to validate identity when disabling two-factor with the recovery code.
The issue we are running into is there is no way to confirm their credentials with a direct call to FusionAuth and then apply an action to disable two-factor because we don't get back any JWT token before the two-factor is turned on. This makes sense given the current system, but it does present a problem in this particular scenario.
The only way that we can think to do this is to create an endpoint that:
- User provides their credentials and the recovery code
- API uses the FusionAuth API to do a user login
- API determines if the login is successful (are the credentials rejected?)
- API determines if the user has two-factor on (is the two-factor code returned from FusionAuth?)
- If the login is successful check to see if the recovery code that the user provided matches the one that was generated and disable two-factor
I do not prefer to consume the users credentials directly—I would rather have the user's credentials always managed by FusionAuth. Do you have any recommendations on achieving this functionality?
I'm going to file an issue to have this functionality directly added into FusionAuth.
Thanks for your help!
So it sounds like you're saying you want the user to be checked two times:
- they can login successfully (even if they end up at the dead end of the two FA process)
- they provide some out of band info (answer to a question on file or something like that) to an admin user
And you'd prefer for them to login using the FusionAuth hosted pages, so your application isn't handling any credentials ever.
I was thinking maybe webhooks would work, but there's not one for 'login completed except for two factor auth', so you'd have no way of knowing if they could login successfully.
Other than a screenshare (where a person looks to see if someone has signed in successfully to the hosted pages), which probably isn't a scalable option, I don't see any way, other than what you propose, to prove someone can provide their credentials and get prompted for the two factor code.
The only other solution that jumps to mind is that you could put an image or code or something unique to the login attempt in the
OAuth two-factorthemed page. And then the user could provide that as "proof" that they were able to login to at least that page. Maybe a string encrypted with the time and a secret? You'd have to build that image generator out and provide a way for your admin users to validate it.
I added a github issue related to this discussion: https://github.com/FusionAuth/fusionauth-issues/issues/871
Thanks for adding an issue for this
Please upvote it if you are interested in this moving toward the front of the work queue.