Disable two-factor authentication for a user (account administrator) – BlueFolder Support

Use this guide when a user cannot sign in because they no longer have access to their authenticator app and have lost their backup codes. An account administrator can turn off authenticator-app two-factor sign-in for that user so they can sign in with their password only. After they regain access, they can set up two-factor again if your organization requires or offers it.

Before you disable two-factor for someone else

Disabling two-factor removes their authenticator enrollment, deletes their unused backup codes, and revokes trusted devices for that account.
The action is recorded in your account Event Log (Settings → Account/Subscription → Event Log).

Who can perform this action

You must sign in to the main web application as a user with the following permissions:

Member of the Administrator role
Permission to edit users (Users & Permissions setup)
Two-factor authentication (authenticator app) enabled for your company account

User type	Where to go
Main web and mobile app users (Authorized, Technician, View-only, and other non–portal users who sign in to the main site or mobile app)	Settings → Users & Permissions → Users
Customer portal users (Contacts who sign in only to your customer portal)	Settings → Customer Portal → User Access

Main web vs. mobile: Main-app and mobile-app users share the same user accounts. Turning off authenticator-app two-factor on the Users list applies to both the main website and the mobile app. This administrator action is only available in the main web application Settings area, not from the mobile app.

What you will be asked to enter

When you confirm disabling two-factor for another user, the system always asks for your account password.

If you use an authenticator app for sign-in, you must also enter your current six-digit authenticator code or a valid backup code. This is required even though the locked-out user cannot provide their code.

When the disable option appears

The menu action is only shown for active users who already have authenticator-app two-factor turned on:

On the user list, look for a green shield icon next to the user’s name (authenticator app on).
Open the row’s action menu (split button next to Edit). If two-factor is enabled for that user, you will see Disable 2FA (main/mobile users) or Turn off authenticator app (portal users).
If the user never set up an authenticator, or two-factor is already off, this option will not appear.
Inactive users do not show the disable action on the main Users list; reactivate the user first if you need to change their sign-in settings.

Main web and mobile app users

Sign in to your BlueFolder account on the main web application.
Open Settings (gear icon in the top navigation), then in the left menu expand Users & Permissions and choose Users.
Ensure Active Users is selected in the view dropdown. Locate the user who is locked out. Confirm the green shield icon appears next to their name.
In that row, click the dropdown arrow on the action button (next to Edit) and choose Disable 2FA.
In the Disable two-factor authentication dialog, read the confirmation text, enter your password, and if prompted enter your verification code (six-digit authenticator code or your backup code). Click Disable 2FA.
When the action succeeds, the page reloads. The shield next to that user should no longer show as “authenticator app on.” Ask the user to sign in with their username and password only on the main website or mobile app.

If your company requires two-factor at sign-in: After an administrator disables two-factor, the user may sign in with password only until they set up the authenticator app again. They may see a prompt to complete two-factor enrollment on their next sign-in.

Customer portal users

Sign in to your BlueFolder account on the main web application (administrators manage portal users from Settings, not from inside the portal).
Open Settings, then expand Customer Portal in the left menu and choose User Access.
Ensure Active Users is selected. Find the portal user. Confirm the green shield icon appears next to their name if they use the authenticator app.
Click the dropdown arrow on the row’s action button and choose Turn off authenticator app.
In the Turn off authenticator app dialog, enter your password and, if prompted, your verification code. Click Turn off authenticator app.
Ask the portal user to sign in at your customer portal URL using their portal username and password only. They can enroll in the authenticator app again later from portal account settings if your portal policy requires or offers two-factor.

Portal sign-in policy: On the same User Access page, administrators with company profile access can configure whether portal two-factor is None, Offered, or Required. That policy is separate from turning off one user’s authenticator; it controls whether portal users must use two-factor going forward.

After two-factor is disabled

The affected user signs in with password only until they set up the authenticator app again.
Recommend that the user set up two-factor again as soon as they have a new device or authenticator app, especially if your organization requires it.
You can send a Reset Password email from the same user row menu if they also forgot their password.
Review the account Event Log if you need an audit trail of who disabled two-factor and for which user.

Troubleshooting

I do not see “Disable 2FA” or “Turn off authenticator app”

The user may not have authenticator-app two-factor enabled (no green shield).
The user may be listed under Inactive Users; switch to active users or reactivate them on the main Users list.
Your sign-in account may lack administrator or edit-user permissions.
Two-factor or authenticator-app sign-in may not be enabled for your company or (for portal) for portal users.
On the main Users list, portal-only accounts are managed under Customer Portal → User Access, not on the main Users page.

The dialog says my password or verification code is invalid

Re-enter your own account password carefully.
If you use an authenticator app, enter a current six-digit code or an unused backup code for your account, not the locked-out user’s.

The user is still prompted for a code at sign-in

Confirm you disabled two-factor for the correct username (main/mobile vs. portal accounts are separate).
Have the user try a private/incognito browser window or clear the portal or main site session and sign in again.
If your organization requires two-factor at sign-in, the user may need to complete new authenticator setup after signing in with password only.

Can the user turn off two-factor themselves?

If the user can still sign in to the main web app, they can turn off their own authenticator app under Settings → Personal → Security (Turn off authenticator app), using their password only—they do not need a code for that self-service action. Portal users may have a similar option on the portal password or security page when signed in. This administrator procedure is for cases where the user cannot sign in at all.