Two factor authen turned off by user, then turn on by admin, user can still login without OTPP

Hi All,

As I can’t find a way to for user to use 2 factor, I then simulate if user turn off 2 factor but admin turn it back on. Here’re the steps I did:

  1. User enabled 2 factor with FreeOTP at Personal page
  2. Mobile FreeOTP capture the 2D barcode
  3. User Log off and log in with 2 factor to test
  4. User turn off 2 factor at Personal page
  5. Admin access server SSH as root then execute the following command:
    sudo -u www-data php occ twofactorauth:enable
  6. Console shows Two-factor authentication enabled for user
  7. User login on web again ----> without OTPP prompt and can login with user name and password only!!

I repeat login several times after 10 min, still can login without OTPP…

Please correct me if my concept is wrong.

Also, is there any way to force enable or disable user to turn off 2 factor?

Thanks a lot.


hi irvin,
this is as designed and the correct behaviour. you have to execute the following command to enable totp per user

sudo -u www-data php occ twofactorauth:enable username


sudo -u www-data php occ twofactorauth:disable username

to disable totp per user.
please also have a look here: tips: command line

cheers, carsten