# Administration

# Admin role

The very first account created is automatically set up as an administrator account. Administrators have access to a dedicated area where they can manage global application settings as well as the user base. Click on the Admin link in the 2FAuth footer to access it.

# Granted permissions

Administrators can consult, create, promote, manage or delete any user account.

The account details visible to an administrator include:

When the user registered using SSO:

  • The SSO provider
  • The user's ID on the provider side

# Promote to administrator

Any user may be promoted to administrator by another administrator. Edit the user account at Admin > Users > [User] > and check the Is administrator flag. The change is effective immediately, without notification to the promoted user. Demoting is done the same way.

An administrator account is identified as such by a banner in the Settings > Account section.

The administrator banner
The administrator banner

# Application setup

In addition to environment information, the Admin > App Setup page provides administrators with a number of features for managing the instance.

# Version checking

2FAuth can automatically check if a new version has been released. When enabled, a request will be made to GitHub every week to retrieve the latest version number. You can also run the check manually by clicking the button.

A new available version is reported to the administrators in the 2FAuth footer and the App Setup page.

The new version indicator in the 2FAuth footer
The new version indicator in the 2FAuth footer

The new version alert in the App Setup page
The new version alert in the App Setup page

# Email testing

2FAuth requires a valid email configuration to send emails to users. Features like password reset will not work otherwise.

Click the button to send a test email. The email will be sent to your registered email address.

# Security

See Data protection.

# Registration control

It is possible to restrict user registration to a limited range of email addresses or to completly disable registrations.

# Restriction

This is an authorization pattern, only email addresses that meet a condition are allowed to register.

Once the Restrict registration setting is enabled in Admin > App Setup, there are 2 ways to define the registration policy:

The filtering list

Email addresses from this list are allowed to register on 2FAuth.

Separate the addresses with a |. All must be valid email addresses. Ex: john@example.org|jane@example.net

Leave the field blank to disable the filter.

The filtering rule

Email addresses that match a regular expression are allowed to register on 2FAuth.

For example, here is the regex to allow registering using any @example.org email address :


Leave the field blank to disable the filter.

# No registration

Check the Disable registration setting to fully disable registration. This affects SSO, so new users won't be able to sign in via SSO.

Check the Keep SSO registration enabled setting to override this behavior. New users will be able to sign in for the first time using SSO whereas registration is disabled.

# Users management

# User creation

Administrators can create new user account. Go to Admin > Users and click the Create a user button.

The form provides the exact same fields that a visitor would see in the registration form, with the same validation rules. An additional checkbox is available to directly grant administrator rights to the newly created user: Is administrator

# Access reset

While users have the ability to manage their access themselves, administrators can also take action to reset user access at Admin > Users > [User] > .

Possible actions:

Force resets the current user password with a randomly generated new password then sends a password reset email to the user so they can set their own password.

Using this, you are guaranteed that the user password has been changed. However, the user is free to set a custom password or not. The token bound to the password reset email received by the user has an expiry time of 60 minutes.

Any previous request for a password reset, from the user or an administrator, will be revoked.

Sends a new password reset email to the user without modifying their current password.

This generates a new reset token with an expiry time of 60 minutes, any previous request will be revoked.


Revokes all of the user's Personal Access Tokens.

Once their PATs have been revoked, the user will no longer be able to authenticate to the 2FAuth API.

If for some reason you need to purge revoked (or expired) tokens, run the following Artisan commands:

php artisan passport:purge --revoked
php artisan passport:purge --expired
(WebAuthn security devices)

Revokes all of the user's WebAuthn security devices.

Once their security devices have been revoked, the user will no longer be able to authenticate using WebAuthn.

If the user has checked the Use WebAuthn only option at Settings > WebAuthn, revoking their security devices will reset the option so they can log in with their username and password.

# User deletion

A user account can be deleted by an administrator, even an account with the Admin role. All data associated with the deleted account will also be deleted, including 2FA records, preferences, access tokens and logs.

Click the button at Admin > Users > [User] > to perform the delete.