Disabling MFA removes the TOTP requirement and invalidates all backup codes. Use it only as an authenticated self-service action or after a documented, independent administrator recovery check.
Disabling MFA
Disable MFA
async function disableMfa() {
try {
const result = await sso.user.mfa.disable();
console.log(result.message);
// "MFA disabled successfully"
return true;
} catch (error) {
console.error('Failed to disable MFA:', error);
return false;
}
}
After disablement, update the UI from a fresh status response and make the user complete a new enrollment flow if they choose to restore MFA.
Disable MFA Component
import { useState } from 'react';
import { SsoClient, SsoApiError } from '@drmhse/sso-sdk';
interface DisableMfaProps {
sso: SsoClient;
onDisabled: () => void;
}
export function DisableMfa({ sso, onDisabled }: DisableMfaProps) {
const [showConfirm, setShowConfirm] = useState(false);
const [loading, setLoading] = useState(false);
const [error, setError] = useState('');
const handleDisable = async () => {
setLoading(true);
setError('');
try {
await sso.user.mfa.disable();
onDisabled();
} catch (err) {
if (err instanceof SsoApiError) {
setError(err.message);
} else {
setError('Failed to disable MFA');
}
setLoading(false);
}
};
if (showConfirm) {
return (
<div className="disable-mfa-confirm">
<h3>Disable Two-Factor Authentication?</h3>
<div className="warning">
<p>
<strong>Warning:</strong> Disabling 2FA will make your account less secure.
</p>
<ul>
<li>Your backup codes will be deleted</li>
<li>You'll only need your password to sign in</li>
<li>You can re-enable 2FA at any time</li>
</ul>
</div>
{error && <div className="error">{error}</div>}
<div className="actions">
<button onClick={handleDisable} disabled={loading} className="danger">
{loading ? 'Disabling...' : 'Yes, Disable 2FA'}
</button>
<button onClick={() => setShowConfirm(false)}>Cancel</button>
</div>
</div>
);
}
return (
<div className="disable-mfa">
<button onClick={() => setShowConfirm(true)} className="danger">
Disable Two-Factor Authentication
</button>
</div>
);
}
Administrator recovery
When a user has neither the authenticator nor unused backup codes:
- Verify the requester with an approved recovery process that does not rely on the lost factor.
- Confirm that the operator is authorized to change MFA for this account and organization.
- Record the recovery action in the appropriate audit trail.
- Disable the old factor and revoke sessions according to your policy.
- Require the user to enroll a new factor and save new backup codes.
Platform-wide status and force-disable endpoints are documented in Platform Users and MFA. Operational metrics and suspicious-activity endpoints are documented in Platform Operations.
Continue to UI integration to compose these controls into one account-security surface.