Feature(Request,Proposal) - Optional Two-Factor Authentication

[NinaHerrmann]

Hey everyone!

thank you for the great plugin, we are delighted to use it.

This is a possible feature request - which we are also willing to implement, but which I want to discuss previously. Currently, multi-factor authentication is either obligatory or not possible. However, for certain roles, we want to make MFA optional. Concerned users might set up MFA, others not.

Current status: Users who are not obligated to activate MFA do not see the preference setting, but when they call admin/tool/mfa/user_preferences.php manually they can add a MFA factor. When they add (a) factor(s) they get asked for that factor in the login process but if they click do not have the device they are logged in. (As they are not required by role to have MFA).

I would suggest adding a table tracing all users who optionally use mfa. During the login process, this table is checked for users who are not required to use MFA. In case you are worried about runtime, I could make optional MFA a config setting that allows/disables optional MFA.

I would be really happy to receive feedback if you have resources to implement it yourself, review a pull request, or you would recommend creating a fork and maintaining the feature on my own.

Thank you so much, cheers! Nina

[danmarsden]

This should be possible already using the "no other factors" factor.

unfortunately the documentation for setting this plugin up is pretty limited at the moment, but Moodle HQ are bringing it into the core 4.3 release so I'm hoping that will come with some improved documentation that shows how to set it up under different scenarios.

closing this off as I believe it's already possible but happy for someone to reopen if they think I'm wrong.

[NinaHerrmann]

Thank you so much for your fast answer! E.g. Authenticator App + No other factor works just fine.

There is one combination that does not work and I was wondering if you have any idea how to work around it!

Authenticator App + No other factor + Role Factor (force admins) - does not work for our application context. During authentication, optional users are passed through (forgot my device) as they fulfill the role factor.

Do you have any information on how to force administrators and still have optional MFA for all other users?

[NinaHerrmann]

Never mind I think it is sufficient to reduce the role factor to 50 :champagne:

[NinaHerrmann]

Thank you so much!

[danmarsden]

Great to hear you figured it out!!! - sorry the documentation is so lacking at the moment!! - hopefully now that it's landing in Moodle core we'll see some further help from the community to improve that in the official moodledocs when it lands.

[NinaHerrmann]

Ah, then you might want to add this example to the documentation? Example X

If you want optional and obligatory MFA dependent on roles enable e.g. Authenticator App (or any other factor(s)) - 100 No other factor (enables optional enrolment ) - 100 Role Factor (force admins) - 50 (important to have less than 100, to force non admins to fulfill other factor as well)

You must be:

• not of type admin and no MFA factor enabled OR
• admin/normal user with MFA factor