Implemented Option to force 2Factor authentication on staff

Alpha1

Alpha1

Well-known member
I would like to make 2FA mandatory for staff. Yet, I would not like to lock out staff members who have not set it up yet.
I would like new staff members to only have moderating functionality and admin access available after 2FA is setup. A notice to explain this would help guide users. However that can also be setup by the admin.
 
Upvote 42
This suggestion has been implemented. Votes are no longer accepted.
The danger with unauthorized access to staff accounts is in:
  1. merging all threads in a forum
  2. hard deletion(if allowed)
  3. ACP access
  4. and to a lesser degree: staff forum access & report center access
The first 3 can lead to data loss.
 
While I'm not normally alright with forcing your users to do anything they don't want, I have no problems with enforcing this for staff accounts. A staff member's comp can be compromised, or just using their password somewhere else which gets compromised.

This usually leads to data loss no matter or what or some sort of damage.
 
If you want to make your vote count then like the first post. Replying to this thread has no weight if you do not 'like' the first post.
 
Yes please!
I already require 2Factor authentication for staff members, if it was possible to force them it would be perfect!
 
And what do you do about staff members who are unable to set up the two factor authentication due to incompatible devices? If you make that a requirement, are you also going to purchase a compatible device and pay for their data plans?

I see a lot of talk about forcing this on staff members, yet not one single individual has stopped to consider what would happen if some of those staff members don't have the ability to use the feature.
 
Biker said:
And what do you do about staff members who are unable to set up the two factor authentication due to incompatible devices? If you make that a requirement, are you also going to purchase a compatible device and pay for their data plans?

I see a lot of talk about forcing this on staff members, yet not one single individual has stopped to consider what would happen if some of those staff members don't have the ability to use the feature.
Click to expand...
You don't have to force it on staff members. The suggestion is for the option to force it. You also do not need a data plan to use any of the RFC 6238 (Think Google Authenticator) applications or even need a phone (see WinAuth for example).
 
Again.. What do you do about those individuals who are unable to run something like that?

For example, I have a Firefox phone. Are you going to write an app that covers all of the bases for your staff members?

While most will be able to use two factor authentication, site owners should bear in mind that they may have long time staff members who are unable to use it effectively, if at all, depending on the implementation.
 
Biker said:
Again.. What do you do about those individuals who are unable to run something like that?

For example, I have a Firefox phone. Are you going to write an app that covers all of the bases for your staff members?

While most will be able to use two factor authentication, site owners should bear in mind that they may have long time staff members who are unable to use it effectively, if at all, depending on the implementation.
Click to expand...
As I said before, you do not need a phone. It is an open standard and there are many applications already available, such as WinAuth (Windows), JAuth (Windows, Mac, and Linux) and even a chrome extension (Everything that can install Chrome). If you cannot be bothered to install something as simple as a browser extension to keep the security of your account and the board in check, then I'd rather you not be a moderator at all.
 
Biker said:
And what do you do about staff members who are unable to set up the two factor authentication due to incompatible devices? If you make that a requirement, are you also going to purchase a compatible device and pay for their data plans?

I see a lot of talk about forcing this on staff members, yet not one single individual has stopped to consider what would happen if some of those staff members don't have the ability to use the feature.
Click to expand...
That's why we have the Yubikey's. Even my grandma can use it! :LOL:
You don't need a phone, just a usb port. Just push the button and done!
I bought them for my staff members so they can login safe.
 
maybe will be the best option implement yubikey and sms and also will be perfect.

In fact any user can select his favorite option:

email (otp).
G. authenticator.
yubikey.
sms.

More of my users of xenforo reclaim sms method.
 

Similar threads

Fullmental
  • Question Question
XF 2.2 How to require two-step authentication on every access of ACP?
Replies
2
Views
956
Fullmental
Fullmental
Fullmental
  • Question Question
XF 2.2 Not receiving alerts on a single watched node
Replies
2
Views
601
Fullmental
Fullmental
Saphira
Refresh test environment
Replies
2
Views
202
FTL
FTL
bzcomputers
  • Suggestion Suggestion
Not planned Add option for forum members of each XenForo forum to vote on and make suggestions on future XenForo enhancements
Replies
3
Views
865
Paul B
Paul B
K
  • Suggestion Suggestion
Add an option to disable two step verification providers
Replies
4
Views
1K
Kirby
K
Top Bottom