starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-06 19:06:02 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

Global disable 2FA #3891

New Issue
Open
opened 2026-02-05 07:47:18 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2026-02-05 07:47:18 +03:00
Owner
Copy Link

Originally created by @nixklai on GitHub (Jun 30, 2023).

Describe the feature you'd like

I think we should consider a "global kill switch" to disable 2FA.

This option should be limited to SSO-enabled BookStack instance.

Describe the benefits this would bring to existing BookStack users

This feature is intended to make life easier for BookStack admins.

For a SSO-enabled BookStack instance, admins may already enable MFA requirements at SSO instead of BookStack,
However, currently BookStack allows users to enable both with no way to globally turning BookStack 2FA off, which cause nuisance to admin and confusions to users.

Case 1: An existing user may have enabled BookStack 2FA, and then enrolled into SSO MFA.
Case 2: A new user enabled SSO MFA can also enable BookStack 2FA.

In both cases, users can encounter 2 MFA challenges. Also, having 2 pathways to "enable 2FA/MFA" may cause user to enable the wrong MFA mechanism.

Can the goal of this request already be achieved via other means?

No. The BookStack 2FA mechanism cannot be disabled by admins.

Have you searched for an existing open/closed issue?

  • I have searched for existing issues and none cover my fundemental request

How long have you been using BookStack?

0 to 6 months

Additional context

No response

Originally created by @nixklai on GitHub (Jun 30, 2023). ### Describe the feature you'd like I think we should consider a "global kill switch" to disable 2FA. This option should be limited to SSO-enabled BookStack instance. ### Describe the benefits this would bring to existing BookStack users This feature is intended to make life easier for BookStack admins. For a SSO-enabled BookStack instance, admins may already enable MFA requirements at SSO instead of BookStack, However, currently BookStack allows users to enable both with no way to globally turning BookStack 2FA off, which cause nuisance to admin and confusions to users. **Case 1**: An existing user may have enabled BookStack 2FA, and then enrolled into SSO MFA. **Case 2**: A new user enabled SSO MFA can also enable BookStack 2FA. In both cases, users can encounter 2 MFA challenges. Also, having 2 pathways to "enable 2FA/MFA" may cause user to enable the wrong MFA mechanism. ### Can the goal of this request already be achieved via other means? No. The BookStack 2FA mechanism cannot be disabled by admins. ### Have you searched for an existing open/closed issue? - [X] I have searched for existing issues and none cover my fundemental request ### How long have you been using BookStack? 0 to 6 months ### Additional context _No response_
OVERLORD added the 🔨 Feature Request label 2026-02-05 07:47:18 +03:00
OVERLORD commented 2026-02-05 07:47:21 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jul 3, 2023):

Thanks for the request @nixklai.
Possible something we look to do when we add the next MFA option (Maybe #3912).
At that point, we'd probably want to provide control of MFA options to users, so could disable MFA setup if admin has configured no MFA options to be available.

Easiest/safest route to take would probably be to prevent new MFA registration/setup via this, rather than toggle entire MFA availability on/off. Avoids core conditional auth logic and some flexibility of enabling MFA for core/important accounts before making unavailable, with the impact being some potential pain to existing MFA environments where full disabling is required but there are other options for dealing with that one-time case (DB lookup & de-activation via CLI ).

@ssddanbrown commented on GitHub (Jul 3, 2023): Thanks for the request @nixklai. Possible something we look to do when we add the next MFA option (Maybe #3912). At that point, we'd probably want to provide control of MFA options to users, so could disable MFA setup if admin has configured no MFA options to be available. Easiest/safest route to take would probably be to prevent new MFA registration/setup via this, rather than toggle entire MFA availability on/off. Avoids core conditional auth logic and some flexibility of enabling MFA for core/important accounts before making unavailable, with the impact being some potential pain to existing MFA environments where full disabling is required but there are other options for dealing with that one-time case (DB lookup & de-activation via CLI ).
OVERLORD commented 2026-02-05 07:47:24 +03:00
Author
Owner
Copy Link

@BobWs commented on GitHub (May 9, 2024):

I'm facing this issue also. As a Admin I'm setting up SSO for my users on a Synology NAS using the buildin app Synology SSO Server to serve the SSO to my users.
I've succesfully manage to setup SAML for my exsisting Bookstack users, the only problem I'm facing now is the double 2FA/MFA for the users.
In the standard method the 2FA/MFA was already enabled for the users, and now with the SSO migration every users need to authenticate 2 time the MFA.
As this is a old post I was wondering if there is already a solution for this?
`

@BobWs commented on GitHub (May 9, 2024): I'm facing this issue also. As a Admin I'm setting up SSO for my users on a Synology NAS using the buildin app `Synology SSO Server` to serve the SSO to my users. I've succesfully manage to setup SAML for my exsisting Bookstack users, the only problem I'm facing now is the double 2FA/MFA for the users. In the `standard` method the 2FA/MFA was already enabled for the users, and now with the SSO migration every users need to authenticate 2 time the MFA. As this is a old post I was wondering if there is already a solution for this? `
OVERLORD commented 2026-02-05 07:47:27 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (May 9, 2024):

@BobWs There's a command to reset user MFA: https://www.bookstackapp.com/docs/admin/commands/#reset-user-mfa-methods

You could export the user list (API, Database, Scrape UI) to then batch that for each user.

@ssddanbrown commented on GitHub (May 9, 2024): @BobWs There's a command to reset user MFA: https://www.bookstackapp.com/docs/admin/commands/#reset-user-mfa-methods You could export the user list (API, Database, Scrape UI) to then batch that for each user.
OVERLORD commented 2026-02-05 07:47:30 +03:00
Author
Owner
Copy Link

@col-panic commented on GitHub (Jun 19, 2024):

I second this request. An ENV variable to deactiveate 2FA would really be handy. There is some confusion in an SSO scenario to have an additional 2FA pop up.

@col-panic commented on GitHub (Jun 19, 2024): I second this request. An ENV variable to deactiveate 2FA would really be handy. There is some confusion in an SSO scenario to have an additional 2FA pop up.
OVERLORD commented 2026-02-05 07:47:34 +03:00
Author
Owner
Copy Link

@uhattech commented on GitHub (Oct 23, 2024):

I third this request. Our end users get confused when we already have SSO enabled with Azure and then they click on their account to setup 2FA because we do a good job of telling everyone that 2FA should be used in business and in their personal lives. Therefore, they will turn on the 2FA in Bookstack which is separate from our SSO 2FA and they are thinking they are supposed to enter our SSO 2FA secret into bookstack's 2FA and it doesn't work. I then must login to the server and run the command on their account to turn off the bookstack 2FA and then remind them to not select/turn back on the 2FA in their profile.

@uhattech commented on GitHub (Oct 23, 2024): I third this request. Our end users get confused when we already have SSO enabled with Azure and then they click on their account to setup 2FA because we do a good job of telling everyone that 2FA should be used in business and in their personal lives. Therefore, they will turn on the 2FA in Bookstack which is separate from our SSO 2FA and they are thinking they are supposed to enter our SSO 2FA secret into bookstack's 2FA and it doesn't work. I then must login to the server and run the command on their account to turn off the bookstack 2FA and then remind them to not select/turn back on the 2FA in their profile.
OVERLORD commented 2026-02-05 07:47:38 +03:00
Author
Owner
Copy Link

@vazaha-nl commented on GitHub (Feb 20, 2025):

I support this too. A simple solution would be to expand the mfa reset command with an --all switch to reset mfa for all users. If I have time I will implement and open a PR for this.
For now, a workaround is to just delete all rows in the mfa_values table.

@vazaha-nl commented on GitHub (Feb 20, 2025): I support this too. A simple solution would be to expand the mfa reset command with an `--all` switch to reset mfa for all users. If I have time I will implement and open a PR for this. For now, a workaround is to just delete all rows in the `mfa_values` table.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🔨 Feature Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#3891
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?