Implemented Option to force 2Factor authentication on staff

Alpha1

Alpha1

Well-known member
I would like to make 2FA mandatory for staff. Yet, I would not like to lock out staff members who have not set it up yet.
I would like new staff members to only have moderating functionality and admin access available after 2FA is setup. A notice to explain this would help guide users. However that can also be setup by the admin.
 
Upvote 42
This suggestion has been implemented. Votes are no longer accepted.
Biker said:
And what do you do about staff members who are unable to set up the two factor authentication due to incompatible devices? If you make that a requirement, are you also going to purchase a compatible device and pay for their data plans?

I see a lot of talk about forcing this on staff members, yet not one single individual has stopped to consider what would happen if some of those staff members don't have the ability to use the feature.
Click to expand...
There is the option of an email confirmation pin the admin can enable.
 
Jeremy said:
There is the option of an email confirmation pin the admin can enable.
Click to expand...

Which pretty much defeats the purpose of two factor authentication, especially if the user's machine has been compromised resulting in an email account compromise as well.
 
Biker said:
Which pretty much defeats the purpose of two factor authentication, especially if the user's machine has been compromised resulting in an email account compromise as well.
Click to expand...
It is not ideal, but it far from defeats the purpose. It is still useful against database leaks and bruteforce attacks.
 
2FA can now be forced in two ways:
  1. On admins trying to access the control panel, via an option. (This won't apply to users already logged into the control panel; it will apply on next login.)
  2. Via a user group permission, over the entire installation. This will immediately block (almost) all access until 2FA is enabled. As such, this is a pretty strong limit so it'd be up to the admin enabling it to decide if they want to give notice before forcing it, who they force it on, etc.
On a side note, in case an admin gets locked out because of 2FA, there's a switch for config.php to temporarily skip 2FA checks, allowing you to regain access to disable it.
 
Biker said:
For example, I have a Firefox phone. Are you going to write an app that covers all of the bases for your staff members?
Click to expand...
As it was already said this is an open standard - TOTP. And for me it took only a few seconds to find an app for Firefox OS, which offers this technology. This app is open source and you can install it on Firefox for Android or other (even desktop) Firefox browsers too. Exactly the same app is also available for Windows Phone.
So to have no software/device which supports TOTP 2FA is no valid argument.
 

Similar threads

Fullmental
  • Question Question
XF 2.2 How to require two-step authentication on every access of ACP?
Replies
2
Views
955
Fullmental
Fullmental
Fullmental
  • Question Question
XF 2.2 Not receiving alerts on a single watched node
Replies
2
Views
598
Fullmental
Fullmental
Saphira
Refresh test environment
Replies
2
Views
197
FTL
FTL
bzcomputers
  • Suggestion Suggestion
Not planned Add option for forum members of each XenForo forum to vote on and make suggestions on future XenForo enhancements
Replies
3
Views
864
Paul B
Paul B
K
  • Suggestion Suggestion
Add an option to disable two step verification providers
Replies
4
Views
1K
Kirby
K
Top Bottom