search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
14.37k stars 1.82k forks source link

Global disable 2FA #4353

Open nixklai opened 1 year ago

nixklai commented 1 year ago

Describe the feature you'd like

I think we should consider a "global kill switch" to disable 2FA.

This option should be limited to SSO-enabled BookStack instance.

Describe the benefits this would bring to existing BookStack users

This feature is intended to make life easier for BookStack admins.

For a SSO-enabled BookStack instance, admins may already enable MFA requirements at SSO instead of BookStack, However, currently BookStack allows users to enable both with no way to globally turning BookStack 2FA off, which cause nuisance to admin and confusions to users.

Case 1: An existing user may have enabled BookStack 2FA, and then enrolled into SSO MFA. Case 2: A new user enabled SSO MFA can also enable BookStack 2FA.

In both cases, users can encounter 2 MFA challenges. Also, having 2 pathways to "enable 2FA/MFA" may cause user to enable the wrong MFA mechanism.

Can the goal of this request already be achieved via other means?

No. The BookStack 2FA mechanism cannot be disabled by admins.

Have you searched for an existing open/closed issue?

How long have you been using BookStack?

0 to 6 months

Additional context

No response

ssddanbrown commented 1 year ago

Thanks for the request @nixklai. Possible something we look to do when we add the next MFA option (Maybe #3912). At that point, we'd probably want to provide control of MFA options to users, so could disable MFA setup if admin has configured no MFA options to be available.

Easiest/safest route to take would probably be to prevent new MFA registration/setup via this, rather than toggle entire MFA availability on/off. Avoids core conditional auth logic and some flexibility of enabling MFA for core/important accounts before making unavailable, with the impact being some potential pain to existing MFA environments where full disabling is required but there are other options for dealing with that one-time case (DB lookup & de-activation via CLI ).

BobWs commented 2 months ago

I'm facing this issue also. As a Admin I'm setting up SSO for my users on a Synology NAS using the buildin app Synology SSO Server to serve the SSO to my users. I've succesfully manage to setup SAML for my exsisting Bookstack users, the only problem I'm facing now is the double 2FA/MFA for the users. In the standard method the 2FA/MFA was already enabled for the users, and now with the SSO migration every users need to authenticate 2 time the MFA. As this is a old post I was wondering if there is already a solution for this? `

ssddanbrown commented 2 months ago

@BobWs There's a command to reset user MFA: https://www.bookstackapp.com/docs/admin/commands/#reset-user-mfa-methods

You could export the user list (API, Database, Scrape UI) to then batch that for each user.

col-panic commented 3 weeks ago

I second this request. An ENV variable to deactiveate 2FA would really be handy. There is some confusion in an SSO scenario to have an additional 2FA pop up.