RocketChat · kodiakhq · Nov 13, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 13, 2025
diff --git a/.changeset/dull-deers-live.md b/.changeset/dull-deers-live.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': minor
+---
+
+Allows users to enable TOTP-based two factor authentication without requiring a verified email address.
diff --git a/apps/meteor/app/2fa/server/methods/enable.ts b/apps/meteor/app/2fa/server/methods/enable.ts
@@ -26,14 +26,6 @@ Meteor.methods<ServerMethods>({
 			});
 		}
 
-		const hasUnverifiedEmail = user.emails?.some((email) => !email.verified);
-
-		if (hasUnverifiedEmail) {
-			throw new Meteor.Error('error-invalid-user', 'You need to verify your emails before setting up 2FA', {
-				method: '2fa:enable',
-			});
-		}
-
 		if (user.services?.totp?.enabled) {
 			throw new Meteor.Error('error-2fa-already-enabled');
 		}

@@ -52,7 +52,7 @@ describe('2fa:enable', function () {
 			});
 	});
 
-	it('should return error when user is not verified', async () => {
+	it('should return secret and qr code url even when user has unverified email', async () => {
 		await request
 			.post(methodCall('2fa:enable'))
 			.set(user3Credentials)
@@ -66,10 +66,14 @@ describe('2fa:enable', function () {
 			})
 			.expect(200)
 			.expect((res) => {
-				expect(res.body).to.have.property('message');
-				const result = JSON.parse(res.body.message);
-				expect(result).to.have.property('error');
-				expect(result.error).to.not.have.property('errpr', 'error-invalid-user');
+				expect(res.body).to.have.property('success', true);
+				const parsedBody = JSON.parse(res.body.message);
+				expect(parsedBody).to.have.property('result');
+				expect(parsedBody.result).to.have.property('secret').of.a('string');
+				expect(parsedBody.result)
+					.to.have.property('url')
+					.of.a('string')
+					.match(/^otpauth:\/\//);
 			});
 	});