Reeckz Posted September 14, 2013 Report Share Posted September 14, 2013 Currently there's no way to enforce Two-Factor Authentication for staff accounts. The way i see it working: When creating a new staff account, you get the option to force the account to setup two-factor. The on the first login of said staff account he/she is presented with the QR / Key and needs to enter two keys. Quote Link to comment Share on other sites More sharing options...
Michael Posted September 14, 2013 Report Share Posted September 14, 2013 It would be a nice idea and I'd vote for it. I also think maybe that will come in v3.1.0 where I think they might be doing the client side aswell. Quote Link to comment Share on other sites More sharing options...
Ken Posted September 14, 2013 Report Share Posted September 14, 2013 Though I don't have an immediate need, I would like to see this. Quote Link to comment Share on other sites More sharing options...
Alex Posted September 15, 2013 Report Share Posted September 15, 2013 I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this. Ken 1 Quote Link to comment Share on other sites More sharing options...
Ken Posted September 15, 2013 Report Share Posted September 15, 2013 I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this. http://www.blesta.com/forums/index.php?/topic/819-client-two-factor-authentication/?hl=authentication Alex 1 Quote Link to comment Share on other sites More sharing options...
Alex Posted September 15, 2013 Report Share Posted September 15, 2013 http://www.blesta.com/forums/index.php?/topic/819-client-two-factor-authentication/?hl=authentication Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end. Quote Link to comment Share on other sites More sharing options...
Ken Posted September 15, 2013 Report Share Posted September 15, 2013 Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end. They've asked us to post one request per thread which is why I included the thread to the client side two-factor authentication. Michael 1 Quote Link to comment Share on other sites More sharing options...
Paul Posted September 16, 2013 Report Share Posted September 16, 2013 Thanks for the suggestion, CORE-763 has been added for forcing staff to use two-factor authentication. Michael and Alex 2 Quote Link to comment Share on other sites More sharing options...
Reeckz Posted September 17, 2013 Author Report Share Posted September 17, 2013 Thanks for the suggestion, CORE-763 has been added for forcing staff to use two-factor authentication. Awesome, thanks! What version of blesta is this? 3.2? Quote Link to comment Share on other sites More sharing options...
Paul Posted September 18, 2013 Report Share Posted September 18, 2013 Awesome, thanks! What version of blesta is this? 3.2? CORE-763 is tentatively scheduled for 3.2, yes. Michael 1 Quote Link to comment Share on other sites More sharing options...
barryf Posted July 16, 2015 Report Share Posted July 16, 2015 CORE-763 is tentatively scheduled for 3.2, yes. Hi Has this been dropped, or might it make it in to some future version? -Barry Quote Link to comment Share on other sites More sharing options...
Michael Posted July 16, 2015 Report Share Posted July 16, 2015 Hi Has this been dropped, or might it make it in to some future version? -Barry Not assigned yet: http://dev.blesta.com/browse/CORE-763 Quote Link to comment Share on other sites More sharing options...
Paul Posted July 16, 2015 Report Share Posted July 16, 2015 Hi Has this been dropped, or might it make it in to some future version? -Barry Not assigned yet: http://dev.blesta.com/browse/CORE-763 It is still planned, it just hasn't been a very high priority. In the interim, I suggest smacking any staff members not using 2FA upside the head. Michael 1 Quote Link to comment Share on other sites More sharing options...
Jonathan Posted July 21, 2015 Report Share Posted July 21, 2015 To add to this, a feature on top of this which would allow certain IPs to be whitelisted and bypass this 2FA check would be great. Quote Link to comment Share on other sites More sharing options...
Cody Posted July 23, 2015 Report Share Posted July 23, 2015 To add to this, a feature on top of this which would allow certain IPs to be whitelisted and bypass this 2FA check would be great. Oooh... I dunno know about that. Sounds like a back door. White listing IPs might be cool though. I can see how some organization would not want employees logging in remotely. Quote Link to comment Share on other sites More sharing options...
Jonathan Posted July 23, 2015 Report Share Posted July 23, 2015 I guess you could call it a back door. Beats having an office full of people constantly having to 2FA (yes it's not as bad as that with "keep me signed in" and stuff but still). Quote Link to comment Share on other sites More sharing options...
Paul Posted July 23, 2015 Report Share Posted July 23, 2015 I can see how a whitelist for bypassing 2FA would be convenient, but it makes me nervous. I want to be 100% sure nobody is logging in as me without entering my OTP. If plugins can't alter this process, maybe they should be able to, a plugin may be more suitable. I'm totally on board with a whitelist for "Only allow staff from group xyz to login from these CIDR's" though. Michael 1 Quote Link to comment Share on other sites More sharing options...
Cody Posted July 23, 2015 Report Share Posted July 23, 2015 I guess you could call it a back door. Beats having an office full of people constantly having to 2FA (yes it's not as bad as that with "keep me signed in" and stuff but still). You could just disable 2FA on those accounts. But I could see how you wouldn't want to do that if there's the possibility of logging in remotely (which my proposed white list would solve). I actually think it would be cool to have a white list per staff group. Blesta Addons 1 Quote Link to comment Share on other sites More sharing options...
Paul Posted July 23, 2015 Report Share Posted July 23, 2015 I actually think it would be cool to have a white list per staff group. Yes, it would need to be by staff group. Quote Link to comment Share on other sites More sharing options...
RebornWebs Posted August 13, 2015 Report Share Posted August 13, 2015 +1 Quote Link to comment Share on other sites More sharing options...
Fantasma Posted August 13, 2015 Report Share Posted August 13, 2015 +1 to forcing 2FA on all accounts but also implementing white list. I would want to whitelist the office IP address, as 2FA not needed on-site -- but anything remote, force 2FA. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.