Open robotdan opened 3 years ago
DaviddH
commented
3 years ago While I understand the need to create more paid features, the self service part of the current MFA options is really lacking and would be a shame to put behind a paid subscription. Seems really weird to me that MFA flow is included in the current login flow once setup, but that you need to create your own page to setup MFA.
mooreds
commented
3 years ago @DaviddH Thanks for your feedback!
We're aware that this feature would be useful to many people and are continually discussing what makes sense to be a premium feature and what makes sense to include in the community edition.
We love our community and sharing free, accessible software to let everyone have a world class auth experience but also need to build a sustainable business; there's obviously a tension there. We're striving to be transparent about this tension and the decisions needed. At this point we've determined that MFA as outlined above is a premium feature. Any type of “account edit” forms that we build into FusionAuth itself are going to fall into the “Advanced Forms” feature and that’s already a premium offering (see https://fusionauth.io/features/advanced-registration-forms/ for more). This fact makes the MFA forms an even more natural fit for paid editions.
If you'd like to contribute an example of a self service MFA page which you've already built out to make other's integrations with FusionAuth easier, we'd be happy to share it with others in the community. We typically use the Apache2 license for our example projects.
mooreds
commented
3 years ago Wanted to add this link to the forum, where we mention the effect that the work related to this issue will have on existing MFA functionality: https://fusionauth.io/community/forum/topic/689/upcoming-mfa-changes
MultiFactor Authentication
Expand the scope and features around multi-factor authentication.
Project
Multi-Factor authentication is a broad topic and FusionAuth currently supports some basic options for multi-factor authentication. The current options include the application based TOTP (Google Authenticator, Authy, etc) and Twilio SMS push.
The options for MFA are expanding quickly and more of our clients require these solutions or are purchasing them from third parties to augment the FusionAuth feature set.
The goal of this project is to provide a comprehensive set of options, capabilities and policies around multi-factor authentication in FusionAuth.
Delivered in 1.26.0
Some of the features and use cases outlined here were delivered in 1.26.0.
/adminto a themed pageIssues delivered in 1.26.0
Partially available
Use Cases
Components
MultiFactor options
FusionAuth currently supports "Google Authenticator" (application based TOTP), and Twilio based SMS push.
As part of this project we will be making the multi-factor options more comprehensive and flexible.A user can have one to many devices or configurations for MFA.
For example:
Messaging templates
SMS is one option for push capability as it relates to MFA. As a component of this feature we will likely need to build out localizable messaging templates that can optionally used with an SMS provider.
Extendable SMS
Currently Twilio is the only SMS provider available in FusionAuth. We will want to build a more generic interface to support all SMS providers, and similar messaging systems to push end users a message.
For example:
This will likely be provided as a custom webhook of sorts that will require a small amount of glue code to accept a JSON message and then deliver it to the transport of your choosing.
Step Up Auth
APIs to allow step up authentication to be performed with password or multi factor options at arbitrary decisions points in your business logic or based upon configuration such as time since last login, IP address changes, or other threat detection models.
Web Authentication (WebAuthN)
(DELIVERED) Support the WebAuthN standard natively in FusionAuth.
Federation
Self service
Once we enable all of these features, the end user needs to be able to manage these additional configurations and select their preferences.
Ideal use cases:
Licensing
This discussion is still happening, ideally we would leave all existing MFA options alone and require a paid edition of FusionAuth to enable to additional MFA configurations outlined here.
Related Issues
The following issues describe one or more components of this project and will be partially or fully addressees as part of this project.
Related Specs
Proposed Step Up Spec
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.