Could we have the possibility to temporarily disable MFA for a specific user? At the moment you need to delete the users Authenticator to disable MFA which means he has to go through the setup process again when reactivated.

I would propose to add a BooleanField to the Authenticator model which determines if it is active. This can then be checked in the is_mfa_enabled function:

class Authenticator(models.Model):
    class Type(models.TextChoices):
        RECOVERY_CODES = "recovery_codes", _("Recovery codes")
        TOTP = "totp", _("TOTP Authenticator")

    objects = AuthenticatorManager()

    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE)
    type = models.CharField(max_length=20, choices=Type.choices)
    data = models.JSONField()
    created_at = models.DateTimeField(default=timezone.now)
    last_used_at = models.DateTimeField(null=True)
    
    active = models.BooleanField(default=True)

def is_mfa_enabled(user, types=None):
  if user.is_anonymous:
      return False
  qs = Authenticator.objects.filter(user=user, active=True)
  if types is not None:
      qs = qs.filter(type__in=types)
  return qs.exists()

Could you add a little bit more background on the use case? Under what circumstances would you want to make use of this?

Thanks for the fast reply!

We have an application where 2FA is mandatory for all users. However the administrator of that system should have the ability to disable it for individual users (for various reasons). If the admin disables it and then later enables it again, ideally the user should not go through the setup process again but just use his already configured authenticator app.

At the moment I am hacking around this issue by creating a backup copy of the users Authenticator on disable and then restore it again on enable. But it would be nicer if this was just a flag in the Authenticator

Up to now I have used the django-two-factor-auth package for 2FA, which had exactly this feature, but I switched to allauth now because I like your package much better 😀

I am really curious what these "for various reasons" are. Could you elaborate there? I think we need to have a good rationale for a feature like this.

Also wondering, how does this affect what the user sees on screen? I get that the user does not see 2FA kicking in when signing in, but if the user visits the 2FA setup and overview screen, what happens then? Does it appear as if no 2FA is enabled, or do they actually see it is setup but disabled?

The is_mfa_enabled() method can now (e676086) be altered via the adapter method. A boolean field is not needed, you can always store the information you need in authenticator.data.