Disable MFA in case of emergency
Added by Tasslehoff Burrfoot 1 day ago
Hi everyone, I recently setup a new Redmine 6.0.1 instance, where I forced admins to configure MFA for their account.
While working on it I changed the hostname and protocol under
Settings > General > Host name and path Settings > General > Protocol
With this change I basically broke MFA and it was impossible to login for anyone except using backup codes.
At this point I used backup codes, disabled MFA and made some tests (disabling MFA for users and reactivating it again) at got MFA back working again.
Honestly I don't know which data is used for making MFA works, but from my tests I suppose site Hostname and protocol have a role in it.
Am I correct?
The next question is: is there any way to bypass or disable MFA in an emergency situation, maybe via a config parameter in the configuration.yml file or a specific file created on filesystem or a query on the database, to login in case MFA totally broke?
Thanks
Tas