Feature Request: Optional 2FA for specific roles

[BIllusion]

Hey there,

I found this plugin while looking for an easy way to add 2FA to a client project. It seems like a great fit, but I noticed that currently 2FA is enforced for all users.

In my use case, I'd need the flexibility to make it optional for specific user roles. Ideally, role-based configuration would be fantastic, but even a simple on/off toggle in the config for enforcing 2FA would be hugely beneficial.

Just wondering if either of these features might be something that could be added in the (near) future?

Thanks!

[martyf]

Can look in to this but not sure of timeframe at the moment due to some current scheduling.

It purposely has little CP management so that it is quite strict in its behaviour so that it can't be turned off via the CP - it must be via the env (or code) level.

Would enforcement at the super admin level resolve your current roadblock? Or do you require explicit role access? Love to hear more about how you're planning to use it.

It is a balance of finding easy management, enforceability (so that it can't be bypassed or disabled), reliability and flexibility, and would not want to rush this sort of feature at the expense of any of these points.

[BIllusion]

Hi Marty, appreciate your response!

My intention was to implement 2FA specifically for groups or roles with elevated privileges, as they possess the potential to cause significant damage. Additionally, I aimed to apply it to "external" authors or contributors, where password security is beyond my control.

To achieve this, implementing some form of management within the CP would be necessary to enforce 2FA for these groups. This would introduces the risk that super admins could potentially disable it. One solution for this could be to configure the enforced groups within a configuration file.

Alternatively, another approach could be to mandate 2FA setup for super admins or no account (disabling enforcement completly via a config-line) by default and provide all users the option to enable it for their accounts. In my scenario, I would then issue a directive or policy to external accounts, requiring them to set up 2FA within a specified timeframe. With the already available icon in the user list indicating whether 2FA is activated for each user, I could monitor compliance with the policy and restrict access for those who fail to comply.

In either scenario, in my use case it would be essential to have the capability to enable 2FA for any account, regardless of whether it's enforced or optional.

Looking forward to hearing your thoughts on these proposed approaches!

[lakkes-ra]

I am switching from kind-work/two-fa to your addon at the moment and thought the same thing.

FIrst: I found it very nice and easy to switch. Just worked out of the box. 👌

kind-work/two-fa had the feature to make 2fa optional for users. They could set it up via a certain route, if they liked. I also think it would be a nice enhancement.

Thank you for your work and kind regards.

[martyf]

I've just tagged 2.2.0 which has added an enforced_roles configuration option.

After upgrading, by default, the behaviour is the same as earlier versions - it is enforced for all.

However you can now add a role's handle to the enforced_roles configuration option in the Two Factor for Statamic config file to opt in for specific roles.

Full details are available: https://docs.mity.com.au/two-factor/roles

I have one idea of how this could be cleanly done in the CP but requires core updates so that is a discussion I'll raise with the core team after Flat Camp. But this at least allows role-specific enforcement via config-file-level changes.

@lakkes-ra for route-specific set up, now sure what you mean here (or whether that needs to be a separate issue?)

[lakkes-ra]

Hi @martyf, that's a nice enhancement, thank you. 🙏

What I meant is an "individual optional opt-in". Like we know it from many Webapps. If I want to have 2FA, I can set it up for my account myself, if I don't want it, I don't. kind-work/two-fa did it with routes like /twofa/setup. I guess it's a pretty big feature. Just wanted to drop the idea. Sure, I can create another "Idea Issue" if you like, so this can be closed.

[martyf]

Hi @lakkes-ra can I get you to detail this one as a new issue, just to help keep things separate?

I want to get something scheduled (and not fall off the radar) but also think this initial ticket can close.

[lakkes-ra]

Hi @martyf, sure, will do. 👌