Disable MFA in case of emergency

Added by Tasslehoff Burrfoot 5 months ago

Hi everyone, I recently setup a new Redmine 6.0.1 instance, where I forced admins to configure MFA for their account.

While working on it I changed the hostname and protocol under

Settings > General > Host name and path
Settings > General > Protocol

With this change I basically broke MFA and it was impossible to login for anyone except using backup codes.

At this point I used backup codes, disabled MFA and made some tests (disabling MFA for users and reactivating it again) at got MFA back working again.

Honestly I don't know which data is used for making MFA works, but from my tests I suppose site Hostname and protocol have a role in it.

Am I correct?

The next question is: is there any way to bypass or disable MFA in an emergency situation, maybe via a config parameter in the configuration.yml file or a specific file created on filesystem or a query on the database, to login in case MFA totally broke?

Thanks

Tas

Replies (1)

RE: Disable MFA in case of emergency - Added by Retay Henry 22 days ago

Yes, the hostname and protocol settings are crucial for MFA, as they affect URL generation and token validation. For emergency MFA bypass, you can:

1. Database Query: Disable MFA by updating the `two_factor_auth` field in the `users` table via SQL.
2. Configuration File: Check `configuration.yml` for any MFA-related settings to disable temporarily.
3. Backup Codes: Always keep backup codes accessible for emergencies.

Ensure to test changes in a safe environment before applying them. Let me know if you need further clarification!

(1-1/1)

Project

General

Profile

Redmine