Question Two-Factor Authentication reset for admin account

[Mike-Online]

Server operating system version

Ubuntu 24.04 x86_64

Plesk version and microupdate number

Plesk Obsidian 18.0.76.6

Hi everyone,

I have a question regarding Two-Factor Authentication management in Plesk.

Situation:
2FA is currently enabled for the admin user and works via a YubiKey (Yubico Authenticator). I can still log in successfully.

However, I would like to migrate away from the YubiKey and instead store the TOTP secret in Vaultwarden (or another password manager).

Problem:

• I no longer have access to the original QR code or secret
• Plesk does not show the secret again after setup
• CLI and database approaches described for older versions do not seem applicable

Goal:

• Either retrieve the existing TOTP secret
  or
• properly reset/reconfigure 2FA so I can re-add it (and store the secret this time)

Questions:

1. Is it possible to extract the existing TOTP secret from Plesk?
2. What is the recommended way to reset 2FA for the admin user in this version?
3. How can I repair the extension system (plesk ext) so it works again?

Any guidance would be greatly appreciated.

Thanks!

 

[Sebahat.hadzhi]

Hi, @Mike-Online . You should be able to retrieve the secret with:

plesk ext mfa config info admin

If you want to reconfigure the extension with another app/device, you can disable it from Extensions > My Extensions > Disable Multi-Factor Authentication and then re-enable it. Once done, you should be prompted to scan the QR code/manually add the details to your app/device.

How can I repair the extension system (plesk ext) so it works again?

Could you please elaborate further on that question? I am not quite sure I was able to understand what doesn't work at this point. Thanks in advance.

 

[Mike-Online]

Hi, @Mike-Online . You should be able to retrieve the secret with:

plesk ext mfa config info admin

If you want to reconfigure the extension with another app/device, you can disable it from Extensions > My Extensions > Disable Multi-Factor Authentication and then re-enable it. Once done, you should be prompted to scan the QR code/manually add the details to your app/device.



Could you please elaborate further on that question? I am not quite sure I was able to understand what doesn't work at this point. Thanks in advance.

Hi,

thanks for your reply.

I tried the suggested command:

plesk ext mfa config info admin

but on my system it returns:

"The extension mfa is not installed"

Also, the extension system itself seems to be broken:

* `plesk ext list` returns: "The extension list is not installed"
* `/usr/local/psa/admin/conf/extensions.json` does not exist
* however, extension directories are present under `/usr/local/psa/var/modules/` (e.g. google-authenticator, etc.)

I already tried:

* `plesk repair installation -y` (no errors)
* verifying filesystem structure

So it looks like the extension registry/backend is missing or corrupted, likely due to multiple upgrades over time (this system has been upgraded across several Plesk and Ubuntu versions).

Current state:

* I can still log in using my YubiKey (TOTP works)
* but I cannot manage or reset 2FA (no GUI option, no working CLI)

**Goal:**
I want to remove or reset 2FA so I can reconfigure it and store the secret in a password manager.

**Questions:**

1. How can I restore the extension system (`plesk ext`) in this situation?
2. Is there a supported way to reset/remove 2FA without a working extension system?
3. Is manually removing the `google-authenticator` module a safe approach in this case?

Any guidance would be appreciated.

Thanks!

 

[Sebahat.hadzhi]

Thank you for the update. Multi-Factor Authentication (MFA) and Google Authenticator are two different extensions. The latter has been deprecated. Could you please double-check what extension exactly you have installed on the system:

plesk bin extension --list

 

[Mike-Online]

Only this:

plesk bin extension --list
advisor - Advisor
composer - PHP Composer
configurations-troubleshooter - Configurations Troubleshooter
domain-connect - Domain Connect
git - Git
google-authenticator - Google Authenticator
heavy-metal-skin - Skins and Color Schemes
laravel - Laravel Toolkit
letsencrypt - Let's Encrypt
log-browser - Log Browser
nodejs - Node.js Toolkit
panel-ini-editor - Panel.ini Editor
plesk-sitejet - Sitejet Builder
repair-kit - Repair Kit
sectigo - Sectigo SSL
social-login - Social Login
ssh-terminal - SSH Terminal
sslit - SSL It!
wp-toolkit - WP Toolkit
xovi - SEO Toolkit

 

[Sebahat.hadzhi]

Thank you. So, indeed it looks like you are using Google Authenticator. Unfortunately, there's no way to retrieve the secret through it. Please try uninstalling it with:

plesk bin extension --uninstall google-authenticator

That should effectively disable 2FA and you can then install and configure the Multi-Factor Authentication (MFA) extension.

 

[Mike-Online]

Hi,

thank you for the clarification.

That makes sense — I can confirm that the system is indeed using the Google Authenticator extension, likely carried over from older upgrades.

I will test your suggestion (plesk bin extension --uninstall google-authenticator) on a staging/restore copy of the system first, before applying it to production.

Once I have a test environment ready, I’ll verify:

• whether uninstalling the extension cleanly disables 2FA
• and if I can then install and configure the MFA extension without issues

I’ll report back with the results.

Thanks again for your help!

 

[Sebahat.hadzhi]

You are welcome. For what is worth, I have tested the scenario (with authenticator app as I don't have a Yubikey at hand, though it shouldn't matter) and I can confirm that 2FA is disabled after uninstalling the extension.

 

[Mike-Online]

Hi,
update:

I followed your suggestion and tested the process on a restore copy first.
Uninstalling the Google Authenticator extension worked without issues and effectively removed 2FA.

After that, I installed the MFA extension and configured it successfully. Everything is now working as expected.

Thanks a lot for your help!