Requiring TFA will block any user from authenticating when that user hasn't setup TFA. That's all well and good but it presents a challenge for site administrators to figure out how to get the user setup with TFA without removing the restriction.

The easiest and probably solution is for the administrator to downgrade the account to a role that doesn't require TFA, thus allowing them to authenticate. The idea being that if admin roles are required to have TFA and a user doesn't have TFA setup, by removing that role they can authenticate but not access anything their admin role grants them. Once they setup TFA (setup must be granted to the lower role) then the admin can re-grant the admin role.

Documenting this in TFA module or on drupal.org would be helpful for TFA administrators.

Comments

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

I think the README.txt of TFA makes sense as a place to document this.

coltrane’s picture

coltrane
he/him
commented
Project: Two-factor Authentication (TFA) » TFA Basic plugins
Version: 7.x-2.x-dev » 7.x-1.x-dev

Moving this to TFA Basic since #2371315: Remove UID 1 enforcement of TFA and allow hooks to require will remove the TFA module's 'require tfa' permission. https://www.drupal.org/node/1663240 will need to be updated.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
commented
Related issues: +#2838432: Self login and tfa account setup

This really needs to be better documented. A lot of people seem to be having problems with this, e.g.: #2838432: Self login and tfa account setup.