MFA Administration

Disable AuthOS MFA deliberately and support users who have lost every recovery factor

AuthOS release 0.8.2 TypeScript SDK 0.8.0 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Disabling MFA removes the TOTP requirement and invalidates all backup codes. Use it only as an authenticated self-service action or after a documented, independent administrator recovery check.

Disabling MFA

Disable MFA

async function disableMfa() {
  try {
    const result = await sso.user.mfa.disable();

    console.log(result.message);
    // "MFA disabled successfully"

    return true;
  } catch (error) {
    console.error('Failed to disable MFA:', error);
    return false;
  }
}

After disablement, update the UI from a fresh status response and make the user complete a new enrollment flow if they choose to restore MFA.

Disable MFA Component

import { useState } from 'react';
import { SsoClient, SsoApiError } from '@drmhse/sso-sdk';

interface DisableMfaProps {
  sso: SsoClient;
  onDisabled: () => void;
}

export function DisableMfa({ sso, onDisabled }: DisableMfaProps) {
  const [showConfirm, setShowConfirm] = useState(false);
  const [loading, setLoading] = useState(false);
  const [error, setError] = useState('');

  const handleDisable = async () => {
    setLoading(true);
    setError('');

    try {
      await sso.user.mfa.disable();
      onDisabled();
    } catch (err) {
      if (err instanceof SsoApiError) {
        setError(err.message);
      } else {
        setError('Failed to disable MFA');
      }
      setLoading(false);
    }
  };

  if (showConfirm) {
    return (
      <div className="disable-mfa-confirm">
        <h3>Disable Two-Factor Authentication?</h3>
        <div className="warning">
          <p>
            <strong>Warning:</strong> Disabling 2FA will make your account less secure.
          </p>
          <ul>
            <li>Your backup codes will be deleted</li>
            <li>You'll only need your password to sign in</li>
            <li>You can re-enable 2FA at any time</li>
          </ul>
        </div>
        {error && <div className="error">{error}</div>}
        <div className="actions">
          <button onClick={handleDisable} disabled={loading} className="danger">
            {loading ? 'Disabling...' : 'Yes, Disable 2FA'}
          </button>
          <button onClick={() => setShowConfirm(false)}>Cancel</button>
        </div>
      </div>
    );
  }

  return (
    <div className="disable-mfa">
      <button onClick={() => setShowConfirm(true)} className="danger">
        Disable Two-Factor Authentication
      </button>
    </div>
  );
}

Administrator recovery

When a user has neither the authenticator nor unused backup codes:

  1. Verify the requester with an approved recovery process that does not rely on the lost factor.
  2. Confirm that the operator is authorized to change MFA for this account and organization.
  3. Record the recovery action in the appropriate audit trail.
  4. Disable the old factor and revoke sessions according to your policy.
  5. Require the user to enroll a new factor and save new backup codes.

Platform-wide status and force-disable endpoints are documented in Platform Users and MFA. Operational metrics and suspicious-activity endpoints are documented in Platform Operations.

Continue to UI integration to compose these controls into one account-security surface.