Disable MFA in case of emergency

Added by Tasslehoff Burrfoot 4 months ago

Hi everyone, I recently setup a new Redmine 6.0.1 instance, where I forced admins to configure MFA for their account.

While working on it I changed the hostname and protocol under

Settings > General > Host name and path
Settings > General > Protocol

With this change I basically broke MFA and it was impossible to login for anyone except using backup codes.

At this point I used backup codes, disabled MFA and made some tests (disabling MFA for users and reactivating it again) at got MFA back working again.

Honestly I don't know which data is used for making MFA works, but from my tests I suppose site Hostname and protocol have a role in it.

Am I correct?

The next question is: is there any way to bypass or disable MFA in an emergency situation, maybe via a config parameter in the configuration.yml file or a specific file created on filesystem or a query on the database, to login in case MFA totally broke?

Thanks

Tas

Replies (1)

RE: Disable MFA in case of emergency - Added by Retay Henry 4 days ago

Yes, the hostname and protocol settings are crucial for MFA, as they affect URL generation and token validation. For emergency MFA bypass, you can:

1. Database Query: Disable MFA by updating the `two_factor_auth` field in the `users` table via SQL.
2. Configuration File: Check `configuration.yml` for any MFA-related settings to disable temporarily.
3. Backup Codes: Always keep backup codes accessible for emergencies.

Ensure to test changes in a safe environment before applying them. Let me know if you need further clarification!

(1-1/1)

Project

General

Profile

Redmine