Enabling Both TOTP and Email 2FA Skips Email Verification – Bug or Intended Behavior?

[connectshruti]

Description:

When both TOTP 2FA and Email 2FA are enabled in Rocket.Chat, the login process only prompts for TOTP, while the email-based verification step is skipped. This behavior might be intentional, but the UI does not indicate that TOTP will take priority, which could be misleading to administrators configuring 2FA options.

Steps to Reproduce:

• Enable both TOTP 2FA and Email 2FA in Administration → Accounts → Two-Factor Authentication settings.
• Log out and attempt to log in.
• After entering the password, Rocket.Chat only asks for TOTP verification and logs in the user without sending an email 2FA code.

Expected Behavior:

• If both TOTP and Email 2FA are enabled, it would be helpful if Rocket.Chat either:
• Enforced both authentication steps, requiring users to complete both TOTP and Email 2FA verification.
• Clarified in the UI that TOTP takes priority and email 2FA will not be used when TOTP is enabled.

Actual Behavior:

• When both methods are enabled, only TOTP is required, and email 2FA is skipped.
• This might be intentional, but since both options can be enabled at the same time, it could cause confusion for administrators who expect both to be enforced.

Server Setup Information:

• Rocket.Chat version: 7.5.0-develop
• Deployment method: Self-hosted (WSL2)
• Browser & OS: Chrome, Windows 11

Possible Enhancements:

• Providing an option to enforce both TOTP and Email 2FA if administrators enable both.
• Adding a note in the UI (e.g., “If TOTP is enabled, Email 2FA will not be used”) to clarify the expected behavior.

Would love to hear your thoughts on whether this is the intended behavior or if adjustments could be considered to improve the user experience. Thanks for your time!