Feature request: 2FA For Umbraco Cloud & Heartcore Backoffice

[tolkienosborn]

As an existing Heartcore / Cloud user i am trying to win new business to implement in Umbraco Heartcore. But often a stumbling block is the need to secure the backoffice with 2FA to minimise the risk of stolen credentials.

[nul800sebastiaan]

Hi and thanks for the feature request @tolkienosborn. 2FA is definitely on our wishlist for Heartcore but we're not ready to add that at this point. Unfortunately, we don't have a timeframe for when this will be added at this point. I'll add this issue to the list of ideas for the future.

I know it doesn't fully satisfy your feature request but a password policy until that time might work, encourage users to use a long password that isn't reused on other sites, minimizing the risks.

[soreng]

@nul800sebastiaan one of our clients have strongly requested MFA login for their umbraco cloud users.

Preferably they would like to be able to delegate authentication back to their own Azure AD.

[adam1403csi]

@nul800sebastiaan

This is starting to become a requirement for a number of our clients, and the lack of 2FA on the login is stopping us being able to recommend Umbraco Cloud / Heartcore to some clients.

[warrenmoriyama]

Hi @nul800sebastiaan , Our clients are requesting MFA for Umbraco Cloud in order to be compliant with various security policies including their own. In 2021 soon to be 2022, this is now a must have feature for all authentication platforms. Especially those that need to operate in a corporate environment.

[abirchgiacom]

We are currently reviewing our use of umbraco cloud and without 2FA capability it does not meet our vendor onboarding requirements. @nul800sebastiaan is there any update on when this might be actioned. Users tend to be the weakest security link so a password policy is not an appropriate answer.

[chris110000]

We see 2FA as a very important feature to add to Umbraco Cloud Portal. Do you see a chance to prioritize this?

[sitereactor]

We completely agree that its necessary and it is being prioritized. Beginning of January we will revisit the roadmap for Cloud and Heartcore and figure out when we can fit it in. So beginning of January I should be able to give a more concrete update.

[c9mb]

Sounds good. I'd just like to add that moving Kudu from Basic Authentication to using 2FA protected Forms authentication would also be appreciated, so that password managers are able to be used - or even Umbraco-SSO if that will work.

[jkulker]

@sitereactor do you have any update regarding this issue?

[sitereactor]

I don't have anything super concrete as of yet other then its in the top 5 of items for our roadmap. We are still in the process of planning out what is picked up when. It will be published and advertised via the Umbraco.com blog. But I will post back here as well when I have something more concrete.

[c9mb]

@sitereactor - any feel for whether or not the backoffice 2FA is likely to be back-ported to Umbraco7 sites running on Umbraco-Cloud.

Like may people using Umbraco-Cloud, I have a number of v7 sites that are likely to remain on UC for quite a while (clients are always reluctant to 'fix' what isn't broken) but are obviously going to become increasing exposed to this problem.

I have looked at trying to address this by patching together parts from multiple other 2FA solutions, but haven't yet got something I'm happy to deploy, and don't want to spend time re-inventing the wheel if a better solution will be back-ported.

[sitereactor]

We have a version of Umbraco Id for Umbraco 7, so it might be possible. But we have been hesitant to push Umbraco Id to Umbraco 7 because it lacks certain extension points, which have been added to Umbraco 8.

We can definitely consider it, but I'm unsure how realistic it will be. Just to set expectations.

[Christoph-Schmid]

We see 2FA as a very important feature to add to Umbraco Cloud Portal. Do you see a chance to prioritize this?

@sitereactor do you have any updates on MFA for Umbraco Cloud Portal?

[sitereactor]

We are starting the initial work a couple of weeks from now. As we are starting off with bringing Umbraco Id to Heartcore as the first part of this work, its difficult to say for sure when the 2FA part will be added to the Cloud Portal, but a rough guestimate is end of April / beginning of May. And I expect that 2FA for the Umbraco Backoffice and the Cloud Portal will go hand in hand.

[Christoph-Schmid]

We are starting the initial work a couple of weeks from now. As we are starting off with bringing Umbraco Id to Heartcore as the first part of this work, its difficult to say for sure when the 2FA part will be added to the Cloud Portal, but a rough guestimate is end of April / beginning of May. And I expect that 2FA for the Umbraco Backoffice and the Cloud Portal will go hand in hand.

Hi, any update on this?

[abirchgiacom]

Is there an update on this please. Were those timescales met or has this slipped?

[sitereactor]

Hi all, yes the target date for this feature has been moved from what we originally anticipated. The work has been started, but I'm not able to give a good answer on when it will be released yet. We need to get a bit further with the implementation first.

I will update this thread as we progress, so you know what is going on.

[sitereactor]

This feature has been released and is available to all via the User Profile page. You can get to it from the Umbraco Cloud Portal or from the Backoffice - click the avatar then click "Edit your Umbraco ID profile" and from the profile page you can choose the 2 factor auth method.

Release blog post can be found here: https://umbraco.com/blog/product-update-september-16-2022/#2fa