Skip to content

Managing Two-Factor Authentication (2FA)

This guide simplifies how to turn on or off Two-Factor Authentication (2FA) for user accounts. Only admins can change 2FA settings, by either giving or taking away a special role (2fa) from an account.

By default, new accounts don't have 2FA turned on, but you can enable it right when creating an account using the AccountClient.CreateAccountAsync method. See the documentation for the AccountClient class for more information.

Enabling 2FA By Default

Directly enable Two-Factor Authentication (2FA) for new accounts without admin intervention by setting the 2FA option in the CreateAccountAsync method. This approach ensures enhanced security from the moment an account is created.

Note: Users must verify their email before they can log in, as 2FA requires a verified email address to function properly. Without 2FA, users can log in directly without verifying their email.

Unity Example

public async Task CreateAccountWith2FA(
    string email,
    string username, 
    string password, 
    bool use2fa)
{
    await AccountService.Api.Account.CreateAccountAsync(
        email, 
        username, 
        password, 
        use2fa);
}

Enabling 2FA Later

To enable or disable Two-Factor Authentication (2FA) for a user after the account has been created, follow these simplified steps:

Turning On 2FA

Here's how to enable 2FA for a user:

  1. Sign In as Admin: Make sure you're logged in as an admin.
  2. Find the User: Pick the user account you want to enable 2FA for (username or email).
  3. Give 2FA Role: Add the 2fa role to the account using admin tools (AdminClient and/or AccountService class).

Unity Example

public async Task Enable2FAForUser(string accountId)
{
    // Asynchronously set the 2FA role for the specified account
    await await AccountService.Api.Admin.SetRoleAsync(accountId, Roles.TwoFactorEnabled);
}

Turning Off 2FA

Disabling 2FA is just like enabling it, but instead, you remove the role:

  1. Sign In as Admin: Log in with your admin account.
  2. Find the User: Choose the user account to disable 2FA for.
  3. Take Away 2FA Role: Remove the 2fa role from the account using admin tools (AdminClient and/or AccountService class).

Example

public async Task Disable2FAForUser(string accountId)
{
    // Asynchronously removes the 2FA role for the specified account
    await await AccountService.Api.Admin.RemoveRoleAsync(accountId, Roles.TwoFactorEnabled);
}

Important Notes

  • Be careful when changing roles to avoid unauthorized access.
  • Verify you're targeting the correct account to prevent errors. Note that usernames and emails are case-insensitive, meaning "username", "Username", and "UsErNaMe" refer to the same account.