I am requiring users to use TOTP (I don't have the Email option enabled), so when we onboard new staff, we check to make sure they have completed their TOTP setup, but there's nothing preventing them from disabling this in the future. I would like to be able to prevent them from doing this, either intentionally, or accidentally.
Current vs. suggested behavior
Currently users can enable 2FA but then disable it later and it's not easy to keep track of them doing this.
Why would the enhancement be useful to users?
For some sites / apps, it is really important that this remains activated
I have achieved what I want with a hook, but I still think it would be a nice addition to be able to apply this via a setting in ProcessLogin.
$this->wire()->addHookAfter('Field::getInputfield', function(HookEvent $event) {
if($this->wire('user')->isSuperuser() || $this->page->process !== 'ProcessUser') return;
$field = $event->object;
$inputfield = $event->return;
$page = $event->arguments[0];
if($field->name == 'tfa_type' && $page->hasTfa() == 'TfaTotp') {
$inputfield->collapsed = Inputfield::collapsedNoLocked;
$inputfield->notes = 'This is locked. Please contact an administrator if you need any help.';
}
});
Note that if most folks want to use this hook, they'll want to replace ProcessUser with ProcessProfile, but I am doing things a little differently :)
Short description of the enhancement
I am requiring users to use TOTP (I don't have the Email option enabled), so when we onboard new staff, we check to make sure they have completed their TOTP setup, but there's nothing preventing them from disabling this in the future. I would like to be able to prevent them from doing this, either intentionally, or accidentally.
Current vs. suggested behavior
Currently users can enable 2FA but then disable it later and it's not easy to keep track of them doing this.
Why would the enhancement be useful to users?
For some sites / apps, it is really important that this remains activated
I have achieved what I want with a hook, but I still think it would be a nice addition to be able to apply this via a setting in ProcessLogin.
Note that if most folks want to use this hook, they'll want to replace
ProcessUser
withProcessProfile
, but I am doing things a little differently :)