[GH-ISSUE #1870] Make users confirm their second factor before saving it #3111

New issue

Open

opened 2026-03-14 06:34:50 +03:00 by kerem · 0 comments

kerem commented

2026-03-14 06:34:50 +03:00

Owner

Originally created by @sebvonhelsinki on GitHub (May 10, 2024).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1870

Is your feature request related to a problem? Please describe.
When setting up 2FA, the user sees the the TOTP setup QR code and confirms with a click on "FINISH". When the user clicks on "FINISH", TacticalRMM saves the TOTP base code, without verifying that the user actually has it set up successfully on their end. If the user, for any reason, was not able to set up 2FA successfully, they are now locked out of their account since TacticalRMM asks for 2FA confirmation on the next login.

Describe the solution you'd like
After showing the user the TOTP secret code/QR code, before the user can confirm that they have set up MFA, the user should be required to enter the current TOTP code generated from the currently shown TOTP secret. Only after this confirmation should the 2FA settings for the user be updated.

To streamline this, the confirmation could look as follows:

below the clean text TOTP secret, above the "FINISH" button, there could be a numbers-only text input field labeled "Enter your new TOTP code:"
when a user clicks "finish", the code is sent to the server and verified against the not-yet-saved TOTP secret
if the verification fail, the user stays on the page to set up 2FA and is confronted with an error message indicating that the TOTP-code entered was wrong
if the verification is successfull, the TOTP secret gets saved for the user in TacticalRMM. the user is redirected to the login page

Describe alternatives you've considered
No alternatives have come to mind.

Additional context
TacticalRMM is the first service I have encountered that activates 2FA without verifying that it actually works.

Originally created by @sebvonhelsinki on GitHub (May 10, 2024). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1870 **Is your feature request related to a problem? Please describe.** When setting up 2FA, the user sees the the TOTP setup QR code and confirms with a click on "FINISH". When the user clicks on "FINISH", TacticalRMM saves the TOTP base code, without verifying that the user actually has it set up successfully on their end. If the user, for any reason, was not able to set up 2FA successfully, they are now locked out of their account since TacticalRMM asks for 2FA confirmation on the next login. **Describe the solution you'd like** After showing the user the TOTP secret code/QR code, before the user can confirm that they have set up MFA, the user should be required to enter the current TOTP code generated from the currently shown TOTP secret. Only after this confirmation should the 2FA settings for the user be updated. To streamline this, the confirmation could look as follows: - below the clean text TOTP secret, above the "FINISH" button, there could be a numbers-only text input field labeled "Enter your new TOTP code:" - when a user clicks "finish", the code is sent to the server and verified against the not-yet-saved TOTP secret - if the verification fail, the user stays on the page to set up 2FA and is confronted with an error message indicating that the TOTP-code entered was wrong - if the verification is successfull, the TOTP secret gets saved for the user in TacticalRMM. the user is redirected to the login page **Describe alternatives you've considered** No alternatives have come to mind. **Additional context** TacticalRMM is the first service I have encountered that activates 2FA without verifying that it actually works.