Fullmental
Active member
We are looking into way to lock down access to the ACP. Currently, if a staff member has two-factor authentication enabled (it is required for ACP access), they can bypass the 2FA by "trusting" the device for 30 days. This potentially leads to a scenario where someone could gain access to a password and authentication browser token, or just physical access to the device where the staff member is logged in, and simply enter the username and password to be able to make changes without the 2FA prompt. While we can educate our staff members on proper security procedures and ask that they don't "trust" their devices, there's no way to enforce such a policy.
We want the 2FA to trigger every time someone attempts to log into the ACP. How can this be done?
We want the 2FA to trigger every time someone attempts to log into the ACP. How can this be done?