Disabling 2FA
You can disable two-factor authentication on your account at any time. After disabling, you can log in using only your email address and password. This page explains how to disable 2FA and what happens when you do.
Before You Disable
Disabling 2FA reduces the security of your account. Anyone who knows (or guesses) your password will be able to log in without needing your phone or authenticator app.
Consider disabling 2FA only if:
- You are switching to a new authenticator app and need to reconfigure (in which case, set up the new app and re-enable 2FA immediately after).
- Your organization's security policy has changed.
- You are decommissioning this email account.
If you are locked out because you have lost access to your authenticator app and have no recovery codes, you cannot disable 2FA yourself — see the last section below.
Disabling 2FA
- Log in to Opterius Mail (using your TOTP code or a recovery code if needed).
- Go to Settings → Security → Two-Factor Authentication.
- Click Disable Two-Factor Authentication.
- A confirmation dialog appears asking you to verify your identity.
- Enter the current 6-digit code from your authenticator app (or a valid recovery code) in the confirmation field.
- Click Confirm and disable.
2FA is now disabled on your account.
What Happens When 2FA Is Disabled
When you confirm the disable action:
- The row in the
user_two_factortable corresponding to your email address is deleted. - All associated recovery codes are also deleted.
- Your TOTP secret is gone. Your authenticator app will still show a code for the "Opterius Mail" entry, but that entry no longer has any effect — the server no longer requires a second factor.
- Next time you log in, you will go directly from the password field to your Inbox with no second step.
You should remove the Opterius Mail entry from your authenticator app manually to avoid confusion.
Re-enabling 2FA
If you want to re-enable 2FA later:
- Go to Settings → Security → Two-Factor Authentication.
- Click Enable Two-Factor Authentication.
- Follow the 2FA setup process from scratch, including scanning a new QR code and saving new recovery codes.
A new TOTP secret is generated each time — the old entry in your authenticator app (if you kept it) will not work. Make sure to scan the new QR code.
If You Cannot Access Your TOTP Code
If you want to disable 2FA but cannot access your authenticator app to provide the confirmation code:
-
Try logging in with a recovery code instead of a TOTP code (on the login 2FA screen, click "Use a recovery code instead"). Once logged in, follow the normal disable process using another recovery code as confirmation.
-
If you have no recovery codes left and no access to your authenticator app, you are locked out and cannot disable 2FA yourself. Contact your server administrator and ask them to force-disable 2FA on your account.
An admin can do this in the Opterius Mail admin panel. See Admin 2FA Controls for details on what the admin needs to do.
After an admin force-disables your 2FA, you can log in with just your password. Immediately set up a new 2FA configuration with a properly backed-up authenticator and new recovery codes.
Frequently Asked Questions
Will disabling 2FA log me out of my current session? No. Your current session remains active. The change takes effect for the next login attempt.
Does disabling 2FA affect other users on the same server? No. 2FA is per-account. Disabling it on your account has no effect on other users.
What if my admin has required 2FA for all users? If the admin has enabled "Require 2FA for all users" in the admin settings, you will not be able to use the webmail without 2FA enabled. You can disable it from the settings page, but the next time you log in you will be redirected back to the 2FA setup screen. To opt out of the requirement, ask your admin to change the policy.
Is the TOTP secret permanently deleted when I disable 2FA?
Yes. The entire row in the user_two_factor table is deleted, including the secret and all recovery codes. If you re-enable 2FA, a completely new secret is generated.