FaceID (2FA) stopped working after ExternalDomain change?
I had to change the ExternalDomain setting for a self hosted Zitadel 2
7 server, rerunning the setup step (no errors reported) . Now a customer reports that FaceID is not working on his Apple devices, but just a QR is being show. I have not detail yet on if scanning the QR works. Would changing ExternaDomain affect stored 2FA?
3 Replies
Hi @Equinoxe, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer about how ExternalDomain changes affect stored 2FA/FaceID authentication, here are some relevant sources:
1. External ZITADEL Access (1) : This explains that changing ExternalDomain requires rerunning ZITADEL's setup phase and that ZITADEL uses the Host header to determine virtual instances.
2. 2FA Account Name (2) : This discusses how the 2FA account naming is configured at the system level and can be changed in the defaults.yaml multifactors section for self-hosted instances.
To learn more, see the sources I considered:
[1] External ZITADEL Access
[2] 2FA Account Name
Feel free to tag @Ask Inkeep with additional questions.
I found out that FaceID uses the server's domain name to relate the ID data to the account. So the solution was to delete the FaceID configuration in Zitadel for that user and ask him to configure it under the new domain.
Glad I could be helpful. Feel free to create a new thread with any new questions you may have.