Open Closed

Making TOTP 2FA provider independent from other two and modifying 2FA force behavior #9845


User avatar
0
shamyratpashiyev created

Greetings, there are some problems I encountered in layered ABP solution:

  1. I need to disable email and phone number providers in 2FA and leave only TOTP provider functional, ie. I need to make it so that users can enable TOTP provider without verifying phone number or email. How can I achieve that? Please provide detailed instructions.
  2. And I need to make it so force behavior in 2FA works with TOTP, i.e when 2FA behavior is set to force, I need the app to redirect the user to Two Factor Authentication page at "/Account/Manage" and so the user is not able to log in without enabling TOTP app. Please give me detailed instructions on this as well.

7 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    1. To disable email and phone number providers in 2FA and leave only the TOTP provider functional, you need to override the logic that provides available two-factor authentication providers. In your application layer, override the method that returns the list of 2FA providers (such as GetTwoFactorProvidersAsync in your AccountAppService or equivalent). Only return the TOTP provider in the result. This will prevent users from seeing or enabling email or phone-based 2FA, and allow enabling TOTP without verifying email or phone.

    Example:

    public override async Task<ListResultDto<string>> GetTwoFactorProvidersAsync()
    {
        // Only return TOTP provider
        return new ListResultDto<string>(new List<string> { "Authenticator" });
    }
    

    Make sure your UI only displays the TOTP option and does not require email or phone verification for enabling TOTP.

    1. To force 2FA with TOTP and redirect users to the Two Factor Authentication page at "/Account/Manage" when 2FA is required, set the 2FA behavior to "force" in your configuration. In your Angular application, after login, check if the user has 2FA enabled and is required to complete 2FA. If so, redirect them to "/Account/Manage" for TOTP verification.

    You may need to customize the authentication flow in your Angular app to handle this redirect. Typically, after login, if the backend indicates that 2FA is required (e.g., via a specific response or claim), perform a client-side redirect:

    // Pseudocode for Angular
    if (userRequires2FA) {
      this.router.navigate(['/account/manage']);
    }
    

    Ensure your backend enforces 2FA when required and that the Angular app checks for this state after authentication.

    Sources:

    • https://abp.io/docs/latest/modules/identity/two-factor-authentication
    • https://abp.io/support/questions/4444

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    shamyratpashiyev created

    No I tried that, didn't work

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can remove the email and phone from options.Tokens.ProviderMap

    services.PostConfigure<IdentityOptions>(options =>
    {
        //options.Tokens.ProviderMap
    });
    
  • User Avatar
    0
    shamyratpashiyev created

    Hi, if I do that it throws "NotSupportedException: No IUserTwoFactorTokenProvider<TUser> named 'Default' is registered." error. The reason is that I still need to verify either email or phone number to enable TOTP and if I do that it throws the error above. What I need is to make TOTP provider totally independent from email and phone providers. I mean so the user can enable only TOTP without verifying email or phone number.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can consider overriding the SendSecurityCodeModel to remove the 2FA providers.

  • User Avatar
    0
    shamyratpashiyev created

    Hi. It is a .cshtml page right? If yes can you please specify its location and exact name so I can override that page and test it? And it would also mean that I need to override the .cshtml file as well, in that case I need the content of that file too. I checked your repository in github but couldn't find it.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The page class is Volo.Abp.Account.Public.Web.Pages.Account.SendSecurityCodeModel

    You can create a subclass to override OnGetAsync method.

    https://abp.io/docs/latest/framework/ui/mvc-razor-pages/customization-user-interface

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 04, 2025, 16:11