Backoffice security enhancements

[miguelcrpinto]

Issue description

Hi,

While working on a project for a client that is using heartcore I noticed that the only option available in terms of restricting the access to the back office is regular username password which most of the times does not comply with the security requirements of bigger companies/clients.

The most common questions/requests that we get are:

• Restrict the access to the back office based on IP (this seems to be possible on regular Umbraco cloud projects)
• External identity providers (example: Google, Azure AD)
• MFA

Would you consider allowing/implementing (some of) the following options?

Miguel

[sitereactor]

Hi @miguelcrpinto yes, well I can say that 2FA is on the roadmap - we are aiming for Q2 but its not set in stone yet. But you will be able to see it on the roadmap once its published. But most likely in Q2 of this calendar year :)

Restricting access based on IPs is something we could consider for Heartcore as well. We are running some tests related to IP restrictions for regular Umbraco Cloud over the next couple of weeks, and based on the outcome we can determine if we could enable it for Heartcore and when. But I would say that its something we want to enable, so mostly a matter of how and when.

External identity providers is a bit more complicated and not something we will get to this year (2022). It's a common ask, but also a bit more involved for us and we have some other work that needs to be done first. So it will likely be further out.

[miguelcrpinto]

I'll wait for the roadmap announcement and then comment here again. Looking forward to see what's coming up for heartcore!