2FA Policy not enforced after removing a users 2FA through the Admin interface #1667

New Issue

Closed

opened 2026-02-05 01:27:54 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 01:27:54 +03:00

Owner

Copy Link

Originally created by @FreeMinded on GitHub (Aug 26, 2023).

Subject of the issue

The Admin Panel allows to remove 2FA configurations from a user (which is great). Unfortunately the user is neither removed from the organization nor requested to setup 2FA again at the next login if he is part of an organization with 2FA Policy. The user still has full access to this organization. So it’s a way to circumvent the 2FA policy, presenting a security flaw.

See Forum Discussion

Deployment environment

Vaultwarden Version 2023.5.0

Steps to reproduce

1. Invite a user to an organization with 2FA policy & complete process to give user access (user will be forced to configure 2FA)
2. Remove users 2FA from the /admin Interface
3. Login a user (no 2FA will be required anymore)
4. User still has access to organization with 2FA policy

Expected behaviour

With the removal of the 2FA settings for a user in the /admin Interface the user should be removed from any organization with 2FA policy.

This would be consistent with the current behavior. When a user removes his 2FA settings himself, he gets removed from all organizations with 2FA policy.

Actual behaviour

User still has access to organization with 2FA policy despite not having 2FA configured.

Originally created by @FreeMinded on GitHub (Aug 26, 2023). ### Subject of the issue The Admin Panel allows to remove 2FA configurations from a user (which is great). Unfortunately the user is neither removed from the organization nor requested to setup 2FA again at the next login if he is part of an organization with 2FA Policy. The user still has full access to this organization. So it’s a way to circumvent the 2FA policy, presenting a security flaw. See [Forum Discussion](https://vaultwarden.discourse.group/t/2fa-policy-not-enforced-after-removing-a-users-2fa-settings/2875) ### Deployment environment Vaultwarden Version 2023.5.0 ### Steps to reproduce 1. Invite a user to an organization with 2FA policy & complete process to give user access (user will be forced to configure 2FA) 2. Remove users 2FA from the /admin Interface 3. Login a user (no 2FA will be required anymore) 4. User still has access to organization with 2FA policy ### Expected behaviour With the removal of the 2FA settings for a user in the /admin Interface the user should be removed from any organization with 2FA policy. This would be consistent with the current behavior. When a user removes his 2FA settings himself, he gets removed from all organizations with 2FA policy. ### Actual behaviour User still has access to organization with 2FA policy despite not having 2FA configured.

OVERLORD added the enhancementbug labels 2026-02-05 01:27:54 +03:00

OVERLORD closed this issue 2026-02-05 01:27:55 +03:00

OVERLORD commented 2026-02-05 01:27:57 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Aug 26, 2023):

Looks like we need to remove/disable a user if they disable/remove there 2FA, this is currently not the case.
Thanks for the report.

Keep in mind that a Owner or Admin is always able to login and access the Org, with or without 2FA enabled.

@BlackDex commented on GitHub (Aug 26, 2023): Looks like we need to remove/disable a user if they disable/remove there 2FA, this is currently not the case. Thanks for the report. Keep in mind that a Owner or Admin is always able to login and access the Org, with or without 2FA enabled.

OVERLORD commented 2026-02-05 01:27:59 +03:00

Author

Owner

Copy Link

@FreeMinded commented on GitHub (Aug 26, 2023):

Keep in mind that a Owner or Admin is always able to login and access the Org, with or without 2FA enabled.

@BlackDex yes, I realized that. What is the reason for this behavior? Would make sense to enforce 2FA for owners and admins as well, doesn't it?

Actually thinking of it, this would be the argument for blocking access to an organization rather than remove the user from it completely when lacking 2FA. Otherwise you might have no one left to invite the user again. 🙈

@FreeMinded commented on GitHub (Aug 26, 2023): > Keep in mind that a Owner or Admin is always able to login and access the Org, with or without 2FA enabled. @BlackDex yes, I realized that. What is the reason for this behavior? Would make sense to enforce 2FA for owners and admins as well, doesn't it? Actually thinking of it, this would be the argument for blocking access to an organization rather than remove the user from it completely when lacking 2FA. Otherwise you might have no one left to invite the user again. :see_no_evil:

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label bug enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1667