Disable MFA without TOTP #9623

mtrezza · 2025-03-02T03:12:53Z

New Issue Checklist

Report security issues confidentially.
Any contribution is under this license.
Before posting search existing issues.

Issue Description

Originally posted by @SteffenKeller:

A logged-in user can disable MFA for their account without entering a valid verification code by simply calling the unlink function or saving null for the MFA auth data.

The TOTP auth adapter prevents setting a new secret without a valid code (AuthenticationAdapters.spec.js line 2413), but it does not prevent clearing the secret first and then setting a new one.

This may not be critical, but since the TOTP auth adapter was designed to require a valid code to disable mfa, I thought it was worth mentioning.

Steps to reproduce

JS SDK:

await user._unlinkFrom('mfa');

or

await user.save(
    { authData: { mfa: null } },
    { sessionToken: user.getSessionToken() }
);

Environment

Server

Parse Server version: FILL_THIS_OUT

The text was updated successfully, but these errors were encountered:

parse-github-assistant · 2025-03-02T03:12:55Z

Thanks for opening this issue!

❌ Please fill out all fields with a placeholder FILL_THIS_OUT, otherwise your issue will be closed. If a field does not apply to the issue, fill in n/a.

mtrezza added type:bug Impaired feature or lacking behavior that is likely assumed bounty:$20 Bounty applies for fixing this issue (Parse Bounty Program) labels Mar 2, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable MFA without TOTP #9623

Disable MFA without TOTP #9623

mtrezza commented Mar 2, 2025

parse-github-assistant bot commented Mar 2, 2025

Disable MFA without TOTP #9623

Disable MFA without TOTP #9623

Comments

mtrezza commented Mar 2, 2025

New Issue Checklist

Issue Description

Steps to reproduce

Environment

parse-github-assistant bot commented Mar 2, 2025

Thanks for opening this issue!