Turn off Zotero 2fa

peacefulzephyr
I just needed to lock in my Zotero account on a new browser, and in addition to the correct username-password pair, Zotero asked me for an email 2FA / OTP.

I don't find this necessary, as I perceive low risk, and value convenience over the risk of my account being accessed by unauthorized users. So I am writing to see if there's a way to disable requiring 2FA.
  • poettli
    Have you checked the security settings in your profile?
  • peacefulzephyr
    Thanks @poettli

    The security settings show that email 2fa seems disabled, which makes me think that this is another, unconfigurable channel

    https://s3.amazonaws.com/zotero.org/images/forums/u8177268/79pkklunbjzr9cvgz9pg.png
  • bwiernik
    Click the Edit button by passkeys — you possibly saved a passkey when you logged in
  • peacefulzephyr
    @bwiernik thanks. You're indeed correct. Do you know how having a functioning passkey interacts with 2FA, conditional on (in the screenshot) the "Email authentication" being off? For example, are you suggesting that to disable email 2FA, a user must both have the email 2FA turned off, and have no passkeys?
  • fcheslack Zotero Team
    There are some cases where we will require 2fa regardless of your settings. I'm afraid this is not going to change.

    As with running an outdated OS or other software that could allow your computer to become a source of malicious activity for the rest of the internet, allowing your accounts on other services, such as Zotero, to be compromised allows for many things other than just accessing your data.

    We're still working on fine-tuning to reduce the annoyance as much as possible. Passkeys that you can use as both username/password and second factor are now well supported on most platforms, so we've added support for them and encourage their use as generally the simplest way to use 2fa.

    Any 2fa method being enabled will opt you in to requiring 2fa on all logins. Otherwise, email verification will be required on some logins.
  • peacefulzephyr
    Thank you @fcheslack. That's helpful.

    I have removed my passkey, and indeed now I can log in using just my password without 2FA.

    Re:

    > to be compromised allows for many things other than just accessing your data.

    I still struggle to understand what someone can do with my hacked account that they cannot do with a newly registered account, but I'm sure you know best here. Happy to consider the issue closed.
Sign In or Register to comment.