[6.x] Ability to disable two-factor authentication (#14263)

duncanmcclean · jasonvarga · web-flow · commit 0b82eee597e6 · 2026-03-26T12:13:36.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/config/users.php b/config/users.php
@@ -181,6 +181,18 @@
 
     'elevated_session_duration' => 15,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Two-Factor Authentication
+    |--------------------------------------------------------------------------
+    |
+    | Here you may disable two-factor authentication entirely. This can be
+    | useful on local or staging environments, or when using OAuth.
+    |
+    */
+
+    'two_factor_enabled' => env('STATAMIC_TWO_FACTOR_ENABLED', true),
+
     /*
     |--------------------------------------------------------------------------
     | Enforce Two-Factor Authentication
diff --git a/routes/cp.php b/routes/cp.php
@@ -1,6 +1,7 @@
 <?php
 
 use Illuminate\Support\Facades\Route;
+use Statamic\Facades\TwoFactor;
 use Statamic\Facades\Utility;
 use Statamic\Http\Controllers\CP\Addons\AddonsController;
 use Statamic\Http\Controllers\CP\Addons\AddonSettingsController;
@@ -128,12 +129,14 @@
         Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
         Route::post('password/reset', [ResetPasswordController::class, 'reset'])->name('password.reset.action');
 
-        Route::get('two-factor-challenge', [TwoFactorChallengeController::class, 'index'])->name('two-factor-challenge');
-        Route::post('two-factor-challenge', [TwoFactorChallengeController::class, 'store']);
+        if (TwoFactor::enabled()) {
+            Route::get('two-factor-challenge', [TwoFactorChallengeController::class, 'index'])->name('two-factor-challenge');
+            Route::post('two-factor-challenge', [TwoFactorChallengeController::class, 'store']);
 
-        Route::get('two-factor-setup', TwoFactorSetupController::class)
-            ->withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)
-            ->name('two-factor-setup');
+            Route::get('two-factor-setup', TwoFactorSetupController::class)
+                ->withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)
+                ->name('two-factor-setup');
+        }
     }
 
     Route::get('logout', [LoginController::class, 'logout'])->name('logout');
@@ -345,14 +348,16 @@
     Route::post('users/actions/list', [UserActionController::class, 'bulkActions'])->name('users.actions.bulk');
     Route::resource('users', UsersController::class)->except('destroy');
     Route::patch('users/{user}/password', [PasswordController::class, 'update'])->name('users.password.update');
-    Route::withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)->middleware(RequireElevatedSession::class)->group(function () {
-        Route::get('two-factor/enable', [TwoFactorAuthenticationController::class, 'enable'])->name('users.two-factor.enable');
-        Route::delete('two-factor', [TwoFactorAuthenticationController::class, 'disable'])->name('users.two-factor.disable');
-        Route::post('two-factor/confirm', [TwoFactorAuthenticationController::class, 'confirm'])->name('users.two-factor.confirm');
-        Route::get('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'show'])->name('users.two-factor.recovery-codes.show');
-        Route::post('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'store'])->name('users.two-factor.recovery-codes.generate');
-        Route::get('two-factor/recovery-codes/download', [TwoFactorRecoveryCodesController::class, 'download'])->name('users.two-factor.recovery-codes.download');
-    });
+    if (TwoFactor::enabled()) {
+        Route::withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)->middleware(RequireElevatedSession::class)->group(function () {
+            Route::get('two-factor/enable', [TwoFactorAuthenticationController::class, 'enable'])->name('users.two-factor.enable');
+            Route::delete('two-factor', [TwoFactorAuthenticationController::class, 'disable'])->name('users.two-factor.disable');
+            Route::post('two-factor/confirm', [TwoFactorAuthenticationController::class, 'confirm'])->name('users.two-factor.confirm');
+            Route::get('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'show'])->name('users.two-factor.recovery-codes.show');
+            Route::post('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'store'])->name('users.two-factor.recovery-codes.generate');
+            Route::get('two-factor/recovery-codes/download', [TwoFactorRecoveryCodesController::class, 'download'])->name('users.two-factor.recovery-codes.download');
+        });
+    }
     Route::get('account', AccountController::class)->name('account');
     Route::resource('user-groups', UserGroupsController::class);
     Route::resource('roles', RolesController::class);
diff --git a/routes/web.php b/routes/web.php
@@ -5,6 +5,7 @@
 use Illuminate\Support\Facades\Route;
 use Statamic\Auth\Protect\Protectors\Password\Controller as PasswordProtectController;
 use Statamic\Facades\OAuth;
+use Statamic\Facades\TwoFactor;
 use Statamic\Http\Controllers\ActivateAccountController;
 use Statamic\Http\Controllers\ForgotPasswordController;
 use Statamic\Http\Controllers\FormController;
@@ -50,17 +51,19 @@
             Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
             Route::post('password/reset', [ResetPasswordController::class, 'reset'])->name('password.reset.action');
 
-            Route::get('two-factor-setup', TwoFactorSetupController::class)->name('two-factor-setup');
-            Route::get('two-factor-challenge', [TwoFactorChallengeController::class, 'index'])->name('two-factor-challenge');
-            Route::post('two-factor-challenge', [TwoFactorChallengeController::class, 'store']);
-
-            Route::withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)->group(function () {
-                Route::get('two-factor/enable', [TwoFactorAuthenticationController::class, 'enable'])->name('users.two-factor.enable');
-                Route::post('two-factor/confirm', [TwoFactorAuthenticationController::class, 'confirm'])->name('users.two-factor.confirm');
-                Route::get('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'show'])->name('users.two-factor.recovery-codes.show');
-                Route::post('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'store'])->name('users.two-factor.recovery-codes.generate');
-                Route::get('two-factor/recovery-codes/download', [TwoFactorRecoveryCodesController::class, 'download'])->name('users.two-factor.recovery-codes.download');
-            });
+            if (TwoFactor::enabled()) {
+                Route::get('two-factor-setup', TwoFactorSetupController::class)->name('two-factor-setup');
+                Route::get('two-factor-challenge', [TwoFactorChallengeController::class, 'index'])->name('two-factor-challenge');
+                Route::post('two-factor-challenge', [TwoFactorChallengeController::class, 'store']);
+
+                Route::withoutMiddleware(RedirectIfTwoFactorSetupIncomplete::class)->group(function () {
+                    Route::get('two-factor/enable', [TwoFactorAuthenticationController::class, 'enable'])->name('users.two-factor.enable');
+                    Route::post('two-factor/confirm', [TwoFactorAuthenticationController::class, 'confirm'])->name('users.two-factor.confirm');
+                    Route::get('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'show'])->name('users.two-factor.recovery-codes.show');
+                    Route::post('two-factor/recovery-codes', [TwoFactorRecoveryCodesController::class, 'store'])->name('users.two-factor.recovery-codes.generate');
+                    Route::get('two-factor/recovery-codes/download', [TwoFactorRecoveryCodesController::class, 'download'])->name('users.two-factor.recovery-codes.download');
+                });
+            }
         });
 
         Route::group(['prefix' => 'auth', 'middleware' => [CPAuthGuard::class]], function () {
diff --git a/src/Auth/TwoFactor/TwoFactor.php b/src/Auth/TwoFactor/TwoFactor.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Statamic\Auth\TwoFactor;
+
+class TwoFactor
+{
+    public function enabled(): bool
+    {
+        return config('statamic.users.two_factor_enabled', true);
+    }
+}
diff --git a/src/Auth/User.php b/src/Auth/User.php
@@ -19,6 +19,7 @@
 use Illuminate\Notifications\Notifiable;
 use Illuminate\Support\Facades\Password;
 use Statamic\Auth\Passwords\PasswordReset;
+use Statamic\Auth\TwoFactor\RecoveryCode;
 use Statamic\Contracts\Auth\Role as RoleContract;
 use Statamic\Contracts\Auth\TwoFactor\TwoFactorAuthenticationProvider;
 use Statamic\Contracts\Auth\User as UserContract;
@@ -40,6 +41,7 @@
 use Statamic\Events\UserSaved;
 use Statamic\Events\UserSaving;
 use Statamic\Facades;
+use Statamic\Facades\TwoFactor;
 use Statamic\GraphQL\ResolvesValues;
 use Statamic\Notifications\ActivateAccount as ActivateAccountNotification;
 use Statamic\Notifications\PasswordReset as PasswordResetNotification;
@@ -365,6 +367,10 @@ public function preferredColorMode()
 
     public function isTwoFactorAuthenticationRequired(): bool
     {
+        if (! TwoFactor::enabled()) {
+            return false;
+        }
+
         $enforcedRoles = config('statamic.users.two_factor_enforced_roles', []);
 
         if (in_array('*', $enforcedRoles)) {
@@ -410,7 +416,7 @@ public function replaceTwoFactorRecoveryCode(string $code): void
     {
         $this->set('two_factor_recovery_codes', encrypt(str_replace(
             $code,
-            TwoFactor\RecoveryCode::generate(),
+            RecoveryCode::generate(),
             decrypt($this->two_factor_recovery_codes)
         )))->save();
 
diff --git a/src/Facades/TwoFactor.php b/src/Facades/TwoFactor.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Statamic\Facades;
+
+use Illuminate\Support\Facades\Facade;
+
+/**
+ * @method static bool enabled()
+ *
+ * @see \Statamic\Auth\TwoFactor\TwoFactor
+ */
+class TwoFactor extends Facade
+{
+    protected static function getFacadeAccessor()
+    {
+        return \Statamic\Auth\TwoFactor\TwoFactor::class;
+    }
+}
diff --git a/src/Http/Controllers/CP/Auth/LoginController.php b/src/Http/Controllers/CP/Auth/LoginController.php
@@ -7,6 +7,7 @@
 use Illuminate\Validation\ValidationException;
 use Inertia\Inertia;
 use Statamic\Facades\OAuth;
+use Statamic\Facades\TwoFactor;
 use Statamic\Facades\URL;
 use Statamic\Facades\User;
 use Statamic\Http\Controllers\Concerns\HandlesLogins;
@@ -75,7 +76,7 @@ public function login(Request $request)
 
         $user = User::fromUser($this->validateCredentials($request));
 
-        if ($user->hasEnabledTwoFactorAuthentication()) {
+        if (TwoFactor::enabled() && $user->hasEnabledTwoFactorAuthentication()) {
             return $this->twoFactorChallengeResponse($request, $user);
         }
 
diff --git a/src/Http/Controllers/CP/Users/UsersController.php b/src/Http/Controllers/CP/Users/UsersController.php
@@ -11,6 +11,7 @@
 use Statamic\Facades\CP\Toast;
 use Statamic\Facades\Scope;
 use Statamic\Facades\Search;
+use Statamic\Facades\TwoFactor;
 use Statamic\Facades\User;
 use Statamic\Facades\UserGroup;
 use Statamic\Http\Controllers\CP\CpController;
@@ -277,7 +278,7 @@ public function edit(Request $request, $user)
             'canEditPassword' => User::fromUser($request->user())->can('editPassword', $user),
             'requiresCurrentPassword' => $isCurrentUser = $request->user()->id === $user->id(),
             'itemActions' => Action::for($user, ['view' => 'form']),
-            'twoFactor' => $isCurrentUser ? [
+            'twoFactor' => $isCurrentUser && TwoFactor::enabled() ? [
                 'isEnforced' => $user->isTwoFactorAuthenticationRequired(),
                 'wasSetup' => $user->hasEnabledTwoFactorAuthentication(),
                 'routes' => [
diff --git a/src/Http/Controllers/User/LoginController.php b/src/Http/Controllers/User/LoginController.php
@@ -6,6 +6,7 @@
 use Illuminate\Http\Exceptions\HttpResponseException;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
+use Statamic\Facades\TwoFactor;
 use Statamic\Facades\URL;
 use Statamic\Facades\User;
 use Statamic\Http\Controllers\Concerns\HandlesLogins;
@@ -22,7 +23,7 @@ public function login(UserLoginRequest $request)
 
         $user = User::fromUser($this->validateCredentials($request));
 
-        if ($user->hasEnabledTwoFactorAuthentication()) {
+        if (TwoFactor::enabled() && $user->hasEnabledTwoFactorAuthentication()) {
             return $this->twoFactorChallengeResponse($request, $user);
         }
 
diff --git a/src/Http/Middleware/RedirectIfTwoFactorSetupIncomplete.php b/src/Http/Middleware/RedirectIfTwoFactorSetupIncomplete.php
@@ -4,14 +4,16 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Statamic\Facades\TwoFactor;
 use Statamic\Facades\User;
 
 class RedirectIfTwoFactorSetupIncomplete
 {
     public function handle(Request $request, Closure $next)
     {
         if (
-            ($user = User::fromUser($request->user()))
+            TwoFactor::enabled()
+            && ($user = User::fromUser($request->user()))
             && $user->isTwoFactorAuthenticationRequired()
             && ! $user->hasEnabledTwoFactorAuthentication()
         ) {
diff --git a/tests/Auth/LoginTest.php b/tests/Auth/LoginTest.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Event;
+use Orchestra\Testbench\Attributes\DefineEnvironment;
 use PHPUnit\Framework\Attributes\Group;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Auth\TwoFactor\RecoveryCode;
@@ -93,6 +94,29 @@ public function it_redirects_to_the_two_factor_challenge_page()
         Event::assertDispatched(TwoFactorAuthenticationChallenged::class, fn ($event) => $event->user->id === $user->id);
     }
 
+    #[Test]
+    #[DefineEnvironment('disableTwoFactor')]
+    public function it_skips_two_factor_challenge_when_two_factor_is_disabled()
+    {
+        Event::fake();
+
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this->withoutExceptionHandling();
+
+        $this
+            ->assertGuest()
+            ->post(cp_route('login'), [
+                'email' => $user->email(),
+                'password' => 'secret',
+            ])
+            ->assertRedirect(cp_route('index'));
+
+        $this->assertAuthenticatedAs($user);
+
+        Event::assertNotDispatched(TwoFactorAuthenticationChallenged::class);
+    }
+
     #[Test]
     public function it_redirects_to_referer_url()
     {
@@ -170,6 +194,11 @@ public function it_cant_logout_when_unauthenticated()
         $this->assertGuest();
     }
 
+    protected function disableTwoFactor($app)
+    {
+        $app['config']->set('statamic.users.two_factor_enabled', false);
+    }
+
     private function user()
     {
         return tap(User::make()->makeSuper()->email('david@hasselhoff.com')->password('secret'))->save();
diff --git a/tests/Auth/UserContractTests.php b/tests/Auth/UserContractTests.php
@@ -669,6 +669,23 @@ public function it_determines_if_the_user_has_enabled_two_factor_authentication(
         $this->assertTrue($user->hasEnabledTwoFactorAuthentication());
     }
 
+    #[Test]
+    public function it_does_not_require_two_factor_when_globally_disabled_even_if_user_has_setup()
+    {
+        config()->set('statamic.users.two_factor_enabled', false);
+        config()->set('statamic.users.two_factor_enforced_roles', ['*']);
+
+        $user = $this->makeUser()
+            ->makeSuper()
+            ->set('two_factor_secret', 'secret')
+            ->set('two_factor_confirmed_at', now()->timestamp);
+
+        $user->save();
+
+        $this->assertTrue($user->hasEnabledTwoFactorAuthentication());
+        $this->assertFalse($user->isTwoFactorAuthenticationRequired());
+    }
+
     #[Test]
     public function it_gets_recovery_codes()
     {
diff --git a/tests/Feature/Users/EditUserTest.php b/tests/Feature/Users/EditUserTest.php
@@ -3,6 +3,7 @@
 namespace Tests\Feature\Users;
 
 use Inertia\Testing\AssertableInertia as Assert;
+use Orchestra\Testbench\Attributes\DefineEnvironment;
 use PHPUnit\Framework\Attributes\Group;
 use PHPUnit\Framework\Attributes\Test;
 use Statamic\Facades\User;
@@ -73,6 +74,23 @@ public function it_provides_2fa_data()
             );
     }
 
+    #[Test]
+    #[DefineEnvironment('disableTwoFactor')]
+    public function it_doesnt_provide_2fa_data_when_two_factor_is_disabled()
+    {
+        $this->setTestRoles(['test' => ['access cp', 'edit users']]);
+        $me = tap(User::make()->email('admin@domain.com')->assignRole('test'))->save();
+
+        $this
+            ->actingAsWithElevatedSession($me)
+            ->get($me->editUrl())
+            ->assertOk()
+            ->assertInertia(fn (Assert $page) => $page
+                ->component('users/Edit')
+                ->where('twoFactor', null)
+            );
+    }
+
     #[Test]
     public function it_doesnt_provide_2fa_data_when_editing_someone_else()
     {
@@ -84,6 +102,14 @@ public function it_doesnt_provide_2fa_data_when_editing_someone_else()
             ->actingAsWithElevatedSession($me)
             ->get($user->editUrl())
             ->assertOk()
-            ->assertViewHas('twoFactor', fn ($twoFactor) => $twoFactor === null);
+            ->assertInertia(fn (Assert $page) => $page
+                ->component('users/Edit')
+                ->where('twoFactor', null)
+            );
+    }
+
+    protected function disableTwoFactor($app)
+    {
+        $app['config']->set('statamic.users.two_factor_enabled', false);
     }
 }
diff --git a/tests/Feature/Users/TwoFactorRoutesTest.php b/tests/Feature/Users/TwoFactorRoutesTest.php
diff --git a/tests/Tags/User/LoginFormTest.php b/tests/Tags/User/LoginFormTest.php
