- Issue created by @edvanleeuwen
- πΊπΈUnited States cmlara
and is not able to use TFA, he is stuck at login.
Can you clarify Are you saying the password reset feature does not function when a user does not have any TFA tokens provisioned, or are you saying that the user has tokens configured however does not recall/does not have the token in their possession?
Related security advisories:
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061 β
Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030 β
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053 β - π³π±Netherlands edvanleeuwen Waalwijk
The latter, so a user has had TFA enabled, but does not recall the code.
- πΊπΈUnited States cmlara
As described I'm going to classify this as a won't fix.
It is very intentionally that TFA is required in this scenario and not permitted to be disabled.
This is not just a convention between the TFA module and the site owner, it is also a convention between the end user and the TFA module.
A primary purpose of MFA is to ensure that a second factor is always provided. If this feature were to be added it would undermine protection against one of the most common attack vectors that MFA is designed to protect against.
If the user doesn't know their Token's it is time to be speaking with the site support who should be running procedures on how to grant access. I admit we could possible provide more tools around this (other than the currently available 'disable tfa' on the single user account) however that is a separate discussion from a global disable of the prompting.
Somewhat related security concept:
CWE-620: Unverified Password Change - πΊπΈUnited States cmlara
Additional note:
If a developer really wants to implement this, I imagine they could do so with a Login plugin if they detected a password reset page and signaled the plugin to allow access.
TFA can't control what other plugins exist or installed, I would advise against such a plugin (see related Security Advisories) however if a site feels strongly this is absolutely needed that may provide them an option to do so without TFA providing the feature.