Enforce Two-Factor Authentication For All Staff Accounts

[Reeckz]

Currently there's no way to enforce Two-Factor Authentication for staff accounts.

 

The way i see it working:

 

When creating a new staff account, you get the option to force the account to setup two-factor.

 

The on the first login of said staff account he/she is presented with the QR / Key and needs to enter two keys.

[Michael]

It would be a nice idea and I'd vote for it. I also think maybe that will come in v3.1.0 where I think they might be doing the client side aswell.

[Ken]

Though I don't have an immediate need, I would like to see this.

[Alex]

I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this.

[Ken]

I would definitely like to see forcing two-factor auth for staff as an option. I also look forward to making it an option for clients. I'd like it if clients were presented with the same forced two-factor screen during sign up but it had some explanation and an opt-out "Skip" link in case they don't want to do it. (But they should be able to configure it later if they like.) Maybe an option like "Present two-factor auth during client sign-up" could handle this.

 

http://www.blesta.com/forums/index.php?/topic/819-client-two-factor-authentication/?hl=authentication

[Alex]

http://www.blesta.com/forums/index.php?/topic/819-client-two-factor-authentication/?hl=authentication

 

Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end.

[Ken]

Yep, though I don't think they've confirmed any option like the "Present two-factor auth during client sign-up" one I've proposed above, similar to the admin one you've proposed but for clients. It's actually more important to us that we can force two-factor auth for staff than providing it to clients is, but I will go ahead and post a link to here in that other thread just to make sure the developers see my recommendation about the client end.

 

They've asked us to post one request per thread which is why I included the thread to the client side two-factor authentication.

[Paul]

Thanks for the suggestion, CORE-763 has been added for forcing staff to use two-factor authentication.

[Reeckz]

Thanks for the suggestion, CORE-763 has been added for forcing staff to use two-factor authentication.

Awesome, thanks! What version of blesta is this? 3.2? 

[Paul]

Awesome, thanks! What version of blesta is this? 3.2? 

 

CORE-763 is tentatively scheduled for 3.2, yes.

[barryf]

CORE-763 is tentatively scheduled for 3.2, yes.

 

Hi

 

Has this been dropped, or might it make it in to some future version?

 

-Barry

[Michael]

Hi

 

Has this been dropped, or might it make it in to some future version?

 

-Barry

 

Not assigned yet: http://dev.blesta.com/browse/CORE-763

[Paul]

Hi

 

Has this been dropped, or might it make it in to some future version?

 

-Barry

 

 

Not assigned yet: http://dev.blesta.com/browse/CORE-763

 

It is still planned, it just hasn't been a very high priority. In the interim, I suggest smacking any staff members not using 2FA upside the head.

[Jonathan]

To add to this, a feature on top of this which would allow certain IPs to be whitelisted and bypass this 2FA check would be great.

[Cody]

To add to this, a feature on top of this which would allow certain IPs to be whitelisted and bypass this 2FA check would be great.

 

Oooh... I dunno know about that. Sounds like a back door.

 

White listing IPs might be cool though. I can see how some organization would not want employees logging in remotely.

[Jonathan]

I guess you could call it a back door.  Beats having an office full of people constantly having to 2FA (yes it's not as bad as that with "keep me signed in" and stuff but still).

[Paul]

I can see how a whitelist for bypassing 2FA would be convenient, but it makes me nervous. I want to be 100%  sure nobody is logging in as me without entering my OTP. If plugins can't alter this process, maybe they should be able to, a plugin may be more suitable.

 

I'm totally on board with a whitelist for "Only allow staff from group xyz to login from these CIDR's" though.

[Cody]

I guess you could call it a back door.  Beats having an office full of people constantly having to 2FA (yes it's not as bad as that with "keep me signed in" and stuff but still).

 

You could just disable 2FA on those accounts. But I could see how you wouldn't want to do that if there's the possibility of logging in remotely (which my proposed white list would solve).

 

I actually think it would be cool to have a white list per staff group.

[Paul]

I actually think it would be cool to have a white list per staff group.

 

Yes, it would need to be by staff group.

[RebornWebs]

+1

[Fantasma]

+1 to forcing 2FA on all accounts but also implementing white list. I would want to whitelist the office IP address, as 2FA not needed on-site -- but anything remote, force 2FA.