Jump to content

Enforce Two-Factor Authentication For All Staff Accounts


Reeckz

Recommended Posts

Currently there's no way to enforce Two-Factor Authentication for staff accounts.

 

The way i see it working:

 

When creating a new staff account, you get the option to force the account to setup two-factor.

 

The on the first login of said staff account he/she is presented with the QR / Key and needs to enter two keys.

Link to comment
Share on other sites

I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this.

Link to comment
Share on other sites

I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this.

 

http://www.blesta.com/forums/index.php?/topic/819-client-two-factor-authentication/?hl=authentication

Link to comment
Share on other sites

 

Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end.

Link to comment
Share on other sites

Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end.

 

They've asked us to post one request per thread which is why I included the thread to the client side two-factor authentication.

Link to comment
Share on other sites

  • 1 year later...

To add to this, a feature on top of this which would allow certain IPs to be whitelisted and bypass this 2FA check would be great.

 

Oooh... I dunno know about that. Sounds like a back door.

 

White listing IPs might be cool though. I can see how some organization would not want employees logging in remotely.

Link to comment
Share on other sites

I can see how a whitelist for bypassing 2FA would be convenient, but it makes me nervous. I want to be 100%  sure nobody is logging in as me without entering my OTP. If plugins can't alter this process, maybe they should be able to, a plugin may be more suitable.

 

I'm totally on board with a whitelist for "Only allow staff from group xyz to login from these CIDR's" though.

Link to comment
Share on other sites

I guess you could call it a back door.  Beats having an office full of people constantly having to 2FA (yes it's not as bad as that with "keep me signed in" and stuff but still).

 

You could just disable 2FA on those accounts. But I could see how you wouldn't want to do that if there's the possibility of logging in remotely (which my proposed white list would solve).

 

I actually think it would be cool to have a white list per staff group.

Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...