Logo

Remove Multi-Factor Authentication

This guide explains how to completely remove Multi-Factor Authentication (MFA/2FA) from your application.

Security Consideration
MFA provides an important layer of security. Only remove it if you have a specific reason and understand the security implications.

Step 1: Remove Configuration

In appsettings.json, remove or set to false:

// DELETE or set to false:
"Authentication": {
    "EnableMfa": false,  // DELETE THIS LINE
    ...
}

Step 2: Remove MFA Check in Login

In Pages/Account/Login.cshtml.cs, remove the MFA redirect logic in OnPostAsync:

// DELETE this section:
if (result.RequiresTwoFactor)
{
    return RedirectToPage("./LoginWith2fa", new { ReturnUrl = returnUrl, RememberMe = Input.RememberMe });
}

Step 3: Delete MFA Pages

Delete these files from Pages/Account/:

Delete these files from Pages/Account/Manage/:

Step 4: Update Account Management Page

In Pages/Account/Manage/Index.cshtml, remove the MFA section:

<!-- DELETE: Two-Factor Authentication section -->
<div class="card mb-3">
    <div class="card-header">Two-Factor Authentication</div>
    <!-- ... entire card ... -->
</div>

In Pages/Account/Manage/Index.cshtml.cs, remove:

Step 5: Remove Startup Validation

If you have MFA-related startup validation, remove those checks.

Step 6: Delete Help Files

Delete these files and folders:

Step 7: Update Help Indexes

In wwwroot/help/index.htm, delete the MFA section.

In wwwroot/help/default.htm, remove the MFA link from the user help.

Database Considerations

No Schema Changes Required
MFA data is stored in standard ASP.NET Identity columns in AspNetUsers. The columns can remain - they simply won't be used.

If you want to clear existing MFA data:

-- Optional: Disable MFA for all users
UPDATE AspNetUsers
SET TwoFactorEnabled = 0;

-- Optional: Remove authenticator keys and recovery codes
DELETE FROM AspNetUserTokens
WHERE Name = 'RecoveryCodes' OR Name = 'AuthenticatorKey';

Verification

After removal, verify: