Not planned Option to disable 2FA globally

[RichardKYA]

I would like to see an option to enable/disable 2FA globally.

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

I would think many sites owners and their staff will want to familiarise themselves with the new feature before giving their members the option to use it because it allow them to offer better assistance/support to their members when the inevitable influx of "I'm locked out of my account..." panic e-mails come flooding in.

While there are other reasons, I believe this reason alone should be why having this as an enable/disable globally option should be added.

 

[Veer]

Yes, and I think it will be a complicated thing for my users so I don't want this enabled.

 

[imthebest]

I find the 2FA feature to be a very good feature for XenForo marketing purposes however for general forums I find it overkill to make the logging process even more complex. Hell I don't even use 2FA for my mail address and I will be using it on a forum account? No thanks.

So please provide a way to let the admin choose if he wants to enable their members to use 2FA or not.

 

[sami simo]

This will add unnecessary complication into the login system, I prefer to disable it.

 

[James]

I don't understand why an administrator would voluntarily disable a security feature designed to make your forums more secure.

If you don't understand or use the technology that's your own prerogative, don't take away the option for your members. The security of their account is in their hands, not yours.

 

[RichardKYA]

@James

I would think many sites owners and their staff will want to familiarise themselves with the new feature before giving their members the option to use it because it allow them to offer better assistance/support to their members when the inevitable influx of "I'm locked out of my account..." panic e-mails come flooding in.

The option to disable globally doesn't mean it will be disabled indefinitely.

 

[James]

@James



The option to disable globally doesn't mean it will be disabled indefinitely.

Fair point, but 2FA is available in lots of places now for you to learn how it works. Alternatively, XenForo would advise you set up a test install (allowed under the licence terms) and you and your staff can practice with the feature on that.

Alternatively, your users would learn how to do it.

Though, to be fair, the HYS post already tells you the options for the inevitable "locked out" - backup codes or contact an administrator to disable 2FA for that account.

 

[RichardKYA]

Alternatively, your users would learn how to do it.

Not all members are young and/or mentally capable of learning new features at ease though and I know this sounds silly, but try to remember that not everyone in the world is mentally stable, and something like this may deter them/panic them/confuse them, etc.

The reason in my OP to have it disabled globally is just 1 of a possible many. As I say...

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

I think it should be the site owners choice as they will know their members capabilities depending on their site's purpose.

 

[imthebest]

For me, having 2FA in a forum is a no go. Why? It is like having a biometric security system to enter the bathroom... why would you like to protect the bathroom? It would be more reasonble to put such a complex security system in your main door or in your own room where you have your TV, your computer and other valuable stuff for a robber.

Forum accounts on regular forums don't need that level of protection that 2FA gives. Unless it is a private forum to talk about economics and other stuff where you deal with sensitive data, 2FA just makes the logging process more complex for members on casual, daily chat forums.

XenForo doesn't knows every forum in the world... it is the admin who knows best what type of people visit their forum and it should be the admin decision to let their members to use or not to use the 2FA feature. If you as an admin run lets say a religious forum or a forum for 60+ years old people I don't see the need to confuse your members with stuff like 2FA on their settings page. That would only generate repetitive questions like "What is 2FA? Should I use it?" and make the paranoid people to feel even more insecure if they aren't using 2FA.

Again, 2FA is excellent for XenForo marketing purposes... but in real life I bet whatever you want that not even 1% of your members are going to use 2FA on their accounts.

 

[James]

Nevertheless, someone will make an addon for you to disable 2FA if necessary.

 

[imthebest]

If this suggestion gets a decent amount of likes the developers *might* consider to provide an option to globally disable it.

 

[James]

If they don't just edit the templates and remove the code relating to enabling the option.

 

[imthebest]

That's how I usually do it however it is not always the safer way to proceed...

 

[Martok]

There's been various debate on why anyone would want to switch off 2FA and that various people use it already in various circumstances including for email.

For the record, I will be enabling it on my site for users to choose to use it or not.

I just thought I'd share something regarding Google's position on 2FA. They have this enabled as an option for all Gmail users. However, if you are a Google Apps user, they have given the control to the Google Apps admin to decide whether or not to switch on the 2FA option for users of that domain (and they also give the option to enforce 2FA too).



So I guess the argument could be, if Google allows Google Apps admins to make the decision on enabling 2FA in their product, then maybe the XenForo devs should follow their lead.

 

[ManagerJosh]

I would like to see an option to enable/disable 2FA globally.

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

I would think many sites owners and their staff will want to familiarise themselves with the new feature before giving their members the option to use it because it allow them to offer better assistance/support to their members when the inevitable influx of "I'm locked out of my account..." panic e-mails come flooding in.

While there are other reasons, I believe this reason alone should be why having this as an enable/disable globally option should be added.

Respectfully, I think it is a very /bad/ idea to set a function to discourage the use of 2FA. There have been a few instances of people reporting in that 2FA has actually saved the hides of people because it could not be cracked.

Remember, for 2FA to properly work, a user actually HAS TO SET IT UP. Even if an administrator or board owner enables it, it does squat until an account holder goes through the setup process.

As for the lockout function, maybe @Chris D or @Mike could let us know if XF has one time use backup codes generated to get back in.

 

[Martok]

Respectfully, I think it is a very /bad/ idea to set a function to discourage the use of 2FA.

Do you think Google are wrong in their approach with Google Apps (see my last post)?

 

[Chris D]

As for the lockout function, maybe @Chris D or @Mike could let us know if XF has one time use backup codes generated to get back in.

Yes you can create backup codes.

 

[RichardKYA]

Hi @ManagerJosh

Like I said in my OP...

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

There could be many reasons were it could cause issues. Yes, it does squat until the member enables it, but if you read other posts on this subject, you'll see that a potential issue is that not all members will know what they are enabling. Not every person in the world understands things the same way as everyone else. People with mental health issues could find something like this stressful and it may limit their access. I'm all for providing extra security and I've never said that I'm not, but I still believe having this feature enabled in the first place should be down to the site owner as they will know their member's capabilities. The argument here isn't about discouraging extra security and it's not about it doing squat until the member set's it up, it's about it being the site owner's choice as to whether they think it is suitable for their site and their members.

If you want it enabled, how does it affect you if there was an option to disable it? It doesn't. But if there isn't an option to disable it, then it will affect every other site owner that doesn't want it enabled.

 

[Fred.]

I don't think it's a good idea to have an option to disable a security feature.
It's like having a safe with no lock on.

If you don't want to use it don't use it.
But don't prevent other users from using it. That's just wrong!

 

[RichardKYA]

I don't think it's a good idea to have an option to disable a security feature.
It's like having a safe with no lock on.

If you don't want to use it don't use it.
But don't prevent other users from using it. That's just wrong!

It's not like having a safe with no lock, your information is protected already, this just adds another level of security.

Read all the other posts to see why it could cause issues for other people.

Plus, you'll see this...

If you want it enabled, how does it affect you if there was an option to disable it? It doesn't. But if there isn't an option to disable it, then it will affect every other site owner that doesn't want it enabled.