Question Two-Factor Authentication reset for admin account

[Mike-Online]

Server operating system version

Ubuntu 24.04 x86_64

Plesk version and microupdate number

Plesk Obsidian 18.0.76.6

Hi everyone,

I have a question regarding Two-Factor Authentication management in Plesk.

Situation:
2FA is currently enabled for the admin user and works via a YubiKey (Yubico Authenticator). I can still log in successfully.

However, I would like to migrate away from the YubiKey and instead store the TOTP secret in Vaultwarden (or another password manager).

Problem:

• I no longer have access to the original QR code or secret
• Plesk does not show the secret again after setup
• CLI and database approaches described for older versions do not seem applicable

Goal:

• Either retrieve the existing TOTP secret
  or
• properly reset/reconfigure 2FA so I can re-add it (and store the secret this time)

Questions:

1. Is it possible to extract the existing TOTP secret from Plesk?
2. What is the recommended way to reset 2FA for the admin user in this version?
3. How can I repair the extension system (plesk ext) so it works again?

Any guidance would be greatly appreciated.

Thanks!

 

[Sebahat.hadzhi]

Hi, @Mike-Online . You should be able to retrieve the secret with:

plesk ext mfa config info admin

If you want to reconfigure the extension with another app/device, you can disable it from Extensions > My Extensions > Disable Multi-Factor Authentication and then re-enable it. Once done, you should be prompted to scan the QR code/manually add the details to your app/device.

How can I repair the extension system (plesk ext) so it works again?

Could you please elaborate further on that question? I am not quite sure I was able to understand what doesn't work at this point. Thanks in advance.

 

[Mike-Online]

Hi, @Mike-Online . You should be able to retrieve the secret with:

plesk ext mfa config info admin

If you want to reconfigure the extension with another app/device, you can disable it from Extensions > My Extensions > Disable Multi-Factor Authentication and then re-enable it. Once done, you should be prompted to scan the QR code/manually add the details to your app/device.



Could you please elaborate further on that question? I am not quite sure I was able to understand what doesn't work at this point. Thanks in advance.

Hi,

thanks for your reply.

I tried the suggested command:

plesk ext mfa config info admin

but on my system it returns:

"The extension mfa is not installed"

Also, the extension system itself seems to be broken:

* `plesk ext list` returns: "The extension list is not installed"
* `/usr/local/psa/admin/conf/extensions.json` does not exist
* however, extension directories are present under `/usr/local/psa/var/modules/` (e.g. google-authenticator, etc.)

I already tried:

* `plesk repair installation -y` (no errors)
* verifying filesystem structure

So it looks like the extension registry/backend is missing or corrupted, likely due to multiple upgrades over time (this system has been upgraded across several Plesk and Ubuntu versions).

Current state:

* I can still log in using my YubiKey (TOTP works)
* but I cannot manage or reset 2FA (no GUI option, no working CLI)

**Goal:**
I want to remove or reset 2FA so I can reconfigure it and store the secret in a password manager.

**Questions:**

1. How can I restore the extension system (`plesk ext`) in this situation?
2. Is there a supported way to reset/remove 2FA without a working extension system?
3. Is manually removing the `google-authenticator` module a safe approach in this case?

Any guidance would be appreciated.

Thanks!