Two-factor authentication 'limit to groups' results in error for user logging on

Hello all, I have set a group for to use with Two-Factor TOTP Provider. This is to group certain users to enforce 2FA. Here are the steps:

  1. Server:
    Two-Factor TOTP Provider:
    Set to check box to “Limit to groups”. “2FA”.

  2. Server: Set user to group 2FA. User had access to the server prior to now and without being a member of 2FA or any other group.

  3. User: On becoming a member of the group 2FA: logging in the following screen appears: “Could not load at least one of your enabled two-factor auth methods. Contact your admim.”

  4. Server: Removed the user from the group 2FA.

  5. User: User still received the error on the log on screen: “Could not load at least one of your enabled two-factor auth methods. Contact your admim.”

Is there a method to reset this 2FA on each individual user? I have noticed that when creating a new user and setting the user to the group 2FA before their initial logging on to the system, they see the correct screens and they are able to set up 2FA. The error happens when my older users are forced by the ‘limit to groups’ to set up 2FA and once this is initiated, I am unable as admin to reset or remove the 2FA from their log on and the user is locked out.

Thank you and comments very welcome!

Did you already try it with the occ 2FA-tools:

  twofactorauth:admin:generate-code      Generate a one-time 2FA code for users to log into their account
  twofactorauth:cleanup                  Clean up the two-factor user-provider association of an uninstalled/removed provider
  twofactorauth:disable                  Disable two-factor authentication for a user
  twofactorauth:enable                   Enable two-factor authentication for a user
  twofactorauth:enforce                  Enabled/disable enforced two-factor authentication
  twofactorauth:state                    Get the two-factor authentication (2FA) state of a user

you could first lookup the state of the affected user with

occ twofactorauth:state $user

and then disable the 2FA explicitly for that user with

occ twofactorauth:disable $user

the later should do what you are looking for.

1 Like