I see people referring to TOTP for self-hosted instances, however, I see only text message/phone number when trying to enable 2FA in Hosted. Is there a way to enable 2FA using either TOTP or FIDO on the [Pro] hosted version?
Question changes a bit:
I don’t want my phone number on my account and so I was avoiding entering it but to test if TOTP was actually available, I entered my phone number and then 2FA was set up as TOTP. Once TOTP was set up, I tried deleting my phone number but then it threatened to turn off TOTP. Curious - why is my phone number required for TOTP?
Hi,
We’ve found it’s common for people to have trouble logging in with TOTP (ie. lost/replaced their phone) so we use the phone number to send an SMS as a backup option.
Ah - makes sense. I guess I would require it too based upon that experience.
I’m a former developer and IT manager, spending almost 30 years in corporate america, not that it makes any difference except that I’ve witnessed a LOT of poor system design, poor testing, missing functionality, etc, etc. I’ve only spent a couple days playing around with InvoiceNinja but it’s very clear this system is extremely well-designed, tested and polished. With the functionality InvoiceNinja has, it’s like-for-like design beats what I’ve seen from enterprise vendors like SAP or Oracle. Kudos.
1 Like
Thanks, that’s great to hear!
Just wanted to add to this as there is some unexpected behavior in the latest Flutter app:
- Add phone number
- Setup 2FA
- Remove phone number → UI shows warning that this will remove 2FA
- Remove phone number anyways
- 2FA is still working
I’m not sure what is the best approach here. Maybe don’t show the warning if it is an empty threat?
Note that the React UI does not show the warning when removing 2FA. It requires the phone number to setup 2FA but removing the phone number has expected behavior.
We’ll put a check in place for this.