Rocket.Chat
Rocket.Chat copied to clipboard
Published
20 hours ago •
RocketChat
RocketChat
Forced Two-Factor Authentication - Even when disabled
Description:
When adding validated users using rest-api or via interface, the two factor authentication is being forced even when 2fa is disabled.
Steps to reproduce:
- Go to 'Accounts'
- Disable Two-Factor authentications with TOTP
- Disable Two Factor Authentication via Email
- Click Salve changes
- Add new user with "validated email" checked
- Try to login
Expected behavior:
When disabling two-factor authentication, it should not be required to enter a two-factor authentication when logging in.
Actual behavior:
It doesn't matter if you disable the two-factor authentication. The server is always forcing it.
Server Setup Information:
- Version of Rocket.Chat Server: 3.14.0
- Operating System: Centos 7
- Deployment Method: tar
- Number of Running Instances: 1
Same here, v 3.14.2
I've set 3 settings below to false in db.rocketchat_settings:
- Accounts_TwoFactorAuthentication_Enabled
- Accounts_TwoFactorAuthentication_By_Email_Enabled
- Accounts_TwoFactorAuthentication_Enforce_Password_Fallback
Still getting this error when trying to do a POST to /api/v1/users.update
2021-05-31T04:40:15.110458353Z data: {
2021-05-31T04:40:15.110462753Z success: false,
2021-05-31T04:40:15.110466953Z error: 'TOTP Invalid [totp-invalid]',
2021-05-31T04:40:15.110471353Z errorType: 'totp-invalid',
2021-05-31T04:40:15.110475253Z details: { method: 'password' }
2021-05-31T04:40:15.110479754Z }
I am having this issue as well.
- I enabled 2FA
- I created a user and then realized that 2FA was required
- I disabled 2FA in admin panel
- I created a new user
- New user still prompted for 2FA after login & REST API request
