XF 2.2 How to require two-step authentication on every access of ACP?

Fullmental

Member
We are looking into way to lock down access to the ACP. Currently, if a staff member has two-factor authentication enabled (it is required for ACP access), they can bypass the 2FA by "trusting" the device for 30 days. This potentially leads to a scenario where someone could gain access to a password and authentication browser token, or just physical access to the device where the staff member is logged in, and simply enter the username and password to be able to make changes without the 2FA prompt. While we can educate our staff members on proper security procedures and ask that they don't "trust" their devices, there's no way to enforce such a policy.

We want the 2FA to trigger every time someone attempts to log into the ACP. How can this be done?
 

Fullmental

Member
Thank you for the info. That is a major disappointment - I don't really understand why there would be an option to enable 2FA for the ACP, if it doesn't actually trigger any sort of requirement to use 2FA to log in, separate from the forum itself.
 
Top