Hello,
I hope I’m posting this under the correct topic, if not I apologize.
We are using self hosted Passbolt CE v4.5.2-1 running on Rocky Linux 8. We have MFA enabled (TOTP) and are using Microsoft Authenticator with it.
If for some reason MS Authenticator was unavailable, due to an outage or some other cause then no one would be able to log into Passbolt as I understand it.
A solution would be to disable MFA however if the administrator can’t log in then it’s not possible to disable MFA from within the application.
I looked at the environment variable reference but did not see a variable that controls MFA.
Is it possible to update a table in the database directly and disable MFA?
Has anyone already done this? If so could your share the query you used to update the database to disable MFA?
I was thinking if there was just one column in one table that held the state of MFA it should be simple to update that column to disable MFA.
I share your concerns regarding the possibility to disable MFA from the database, and yes, this is possible.
You’d need to copy the id that is related to your account, you can have it with this SQL query: SELECT id,username FROM users WHERE username='YOUR_EMAIL'
Then, you can delete the account settings that refers to MFA for this identifier you’ve copied before: DELETE FROM account_settings WHERE user_id='YOUR_USER_ID' AND property='mfa';
After that you should be able to log in without any MFA required, do not forget to re-configure it afterwards
Thanks for your answer is there anyways you could write a step by step how to do this im sorry i have tried to google it i cant remember what i learned in collage about databases its been 10 years since i have messed with them
i have tried mysql -u myuser -p is says my sql is not a bash command the first time i did it it worked but i forgot to save i thought it automatically saved
mysql is an alias of mariadb commands, sometimes the alias is not set. If you face “mysql” is not a bash command, you should try mariadb instead.
If you forgot the database credentials, you can access them in /etc/passbolt/passbolt.php in the Datasources array.
After that, in order to log in to the database you’ll have to run:
mariadb -u YOUR_DB_USER -p YOUR_PB_DATABASE
You should be prompted to enter the password afterwards, then you can follow what I’ve shared above
You’d need to copy the id that is related to your account, you can have it with this SQL query: SELECT id,username FROM users WHERE username='YOUR_EMAIL'
Then, you can delete the account settings that refers to MFA for this identifier you’ve copied before: DELETE FROM account_settings WHERE user_id='YOUR_USER_ID' AND property='mfa';
After that you should be able to log in without any MFA required, do not forget to re-configure it afterwards
inm not sure what im doing wrong when i out in the delet comman i get this error
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘DELETE FROM account_settings WHERE user_id=‘passbolt’ AND property=‘mfa’’ at line 2
