2FA not working for Administrator

Frappe Framework Bug
1

Good day

My focus is to implement 2FA on my production server. I have been playing around with 2FA on my test system and I found that it works great except for the user Administrator.

Both my production and test servers are on the same version …
ERPNext: v12.26.0 (version-12)
Frappe Framework: v12.23.0 (version-12)

My method involves the following…

  1. Enable 2FA under system settings ( OTP App )
  2. Disable 2FA on the “ALL”-role
  3. Enable 2FA for a particular “Role”
  4. ensure that the role in (3) is assigned to a user

This worked well with a user that has a non-Administrator role
Note: I did not have to run the bench command to enable 2FA for a site (???)

Then I repeated the procedure…

  1. Enable 2FA under system settings ( OTP App )
  2. Disable 2FA on the “ALL”-role
  3. Enable 2FA for a particular “Role” = Administrator

But then when I log in as Administrator, it does not ask for 2FA token.

And yet, if I look at the content of “tabRole”, the two_factor_auth field for
“Administrator” is infact “1”

And it seems I cannot assign the “Administrator” role to another user.

My python is not strong but I looked at some code as well …
In auth.py
and twofactor.py

… to see if I can see why “Administrator” is excluded from the 2FA process.

2FA_1
2FA_11243×391 50.2 KB

2FA_2
2FA_21398×458 64 KB

Coud you please assist me in trying to resolve this ?
Thanks

2

Instead of administrator I treat first system manager as super user account in the system.

I use Administrator only during development. Or its used by patches.

That’s my thinking. I don’t use Administrator in production. Infact I create admin with random generated 32 character password so no one can accidently use it.

3

Thank you @revant_one for taking the time to respond

I absolutely agree with you ! And that is what I am also now doing. Previously I would use
the Administrator account perhaps more than I should, but I have moved that onto another
user.

The point though is, the Administrator account is still more open…

  1. The account name is easy to guess …“admin” or “administrator” …
  2. Then all that needs to be cracked is the password.

And yes, you have an excelent password … but that password is stiil the only barrier between
the hacker and a hacked server. Where-as the 2FA would have added another layer of
security.

Besides, the manual indicates this …

https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/articles/setup-two-factor-authentication
( This is for version 13 but if you select V12 , is says the same )

I copy a snip from that manual…

On activation of 2FA from setup, it is also activated for the Role "All". In this way, all users including the Administrator have to perform a 2nd level authentication with a token. By unchecking the "Two Factor Authentication" checkbox in the "All" role and enabling it in other roles, the need to login with a token can be limited to specific roles. 2FA does not apply to login by Web Users and API login