I lost 2FA app and backup keys. How do I disable 2FA


#1

I lost my 2FA app and backup codes. How do I disable the 2FA here ?. I can still login due to an already logged in session. I cannot change the option in settings because it asks the 2nd key.


#2

CC @jonathon @philm


#3

The whole point of 2FA is to prevent people who don’t have the 2FA codes from gaining access to your account.

Without the 2FA verification there’s no way of knowing whether your account has been compromised.


#4

How do I prove that this is me.


#5

Without 2FA, you can’t. When you enable 2FA you’re essentially saying, “the only person who can use this account must have both password and 2FA device”. You no longer have the 2FA device, so you’re no different to someone who happens to have got access to the password (or your email address, or an active forum session).

All I can realistically suggest is that your current account is anonymised and then you create another account.


#6

If I can reuse the username and email after that, if you can, please do it. I will register once again.


#7

@jonathon The way 2FA is setup is pretty ■■■■■■. In order to disable the 2FA you need to have your 2FA app which is fine except in the case you lose it, the backup codes don’t work when trying to disable it. Only giving you one time login which is finite.


#8

@anon71203837 you wouldn’t happen to have lastpass and have a backup of your mfa codes would you?


#9

Just a suggestion for future purposes. If you have an android device, the andOTP app lets you backup 2FA keys.


#10

Not all of them do. Lastpass Authenticator is the only one I know of. Essentially in discourse, 2FA is a broken feature since it doesn’t support MFA recovery with the backup codes.


#11

That’s why I mentioned andOTP, which does support exporting and importing 2FA keys.


#12

Ohh I thought it was a typo.


#13

Seems to be becoming depreciated since the dev wants to create a new MFA app. Link below on the matter.


#14

PROTIP. Make screenshoot of QRCODE for future sign new device. Use AUTHY app (mobile. mac, win) for backup 2FA codes.


#15

Also Bitwarden Pro includes a 2FA tool which is pretty darned handy.

Hm. That sounds like a pretty big bug in Discourse - the whole point of backup codes is to act as a one-time key.


#16

Yep, It’s good that I’m not the only one who thought that. :crazy_face: Was starting to think I was crazy. I might fork the discourse repo and fix over the weekend if not already.


#17

OT
Man ist verrückt wenn man nicht darüber nach denkt ob man verrückt sein könnte.

You’re crazy if you don’t think about being crazy.

Hope deepl do it well :smiley:


#18

Ah, du meinst: Cogito ergo dumm


#19

You can by sending an email or SMS to the guy, and seeing what he responds.