search

globaleaks / GlobaLeaks

GlobaLeaks is free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
https://www.globaleaks.org
Other
1.21k stars 267 forks source link

Enforce Two Factor Authentication after 1 month since firce users' login #3112

Open evilaliv3 opened 2 years ago

evilaliv3 commented 2 years ago

This ticket is to keep track of a set of changes possible changes and discussion in relation to 2FA and some improvements aimed at support adoption of 2FA in every whistleblowing project based on GlobaLeaks.

Currently 2FA has been implemented gradually and the system leave it optional to administrators to require it or leave it optional; Unfortunately the fact that the default of the application does not mandatory require 2FA causes that most of the project are running without this feature enabled.

With this ticket I would like to propose some possible improvements:

This could significantly raise the adoption of two factor authentication while offering the possibility to new users to test the system in simplicity during the the first month of their use.

This is just currently just and idea to stimulated the discussion; alternatives could be to simply require two factor authentication.

evilaliv3 commented 2 years ago

@cyberflaneuse @giorgiofraschini @elbill @larrykind @maxmois @aetdr @schris-dk: I consider that this could be interesting to you all. Please feel free to provide your feedback if any.

giorgiofraschini commented 2 years ago

I think this is extremely useful. It is important to balance this implementation with the average user of globaleaks, which is often not skilled enough. THis feature will inevitably increase the requests for assistence by users who had the software previously set up by IT colleagues. It is important to highlight this process (one-month and the 2factor becomes "binding"), as the users could be not prepared after that month. In general I think 1-month is a good time.

elbill commented 2 years ago

I think this is a good idea but should be optional.

schris-dk commented 2 years ago

Agree - should be optional setting decided by admin

evilaliv3 commented 2 years ago

Thank you all for your feedback! Later on i will try to think to some mockups for the possible feature and load it here.

aetdr commented 2 years ago

We are enforcing it anyway, but I agree with others - it should be optional.