Feature #35086

Please consider changing the way how 2FA is set up

Added by robert heiler 6 months ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Invalid

Description

Hey guys,

I don't want to write too much, so it is not hard for you to handle this
issue.

Recently the ruby bug tracker has been changed to require 2FA.

This is a problem for me as I don't have a smartphone, so the change
locked me out of the bug tracker.

Anyway - this is not about that; I would like to suggest a few things.

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

We should be able to log out (sign out) again.

Anyway this is a smaller part.

(2) The bigger issue is that I don't get any information about
WHY 2FA is suddenly used, and who enabled it. Yes, I get it,
the site owner did so, but perhaps the site owner was not aware
that this will effectively perma-ban some users. Not everyone
has a smartphone or can use 2FA. I already explained this
on rubygems.org the github issue tracker, that mandatory 2FA
means I can no longer use rubygems, so I'd have to remove
my account at rubygems.org (whereas at github I could still
publish that code, so this is weird...)

Please consider (2), because it means that the admin of a
site may accidentally retire people from ruby, without
even intending to do so. To me this is a dealbreaker,
because it means I can no longer use the official bug tracker
of ruby, which then means I can no longer voice my concern
(I don't use emails really ... never liked emails in ~over
20 years...). That means I'd become a second class citizen
to ruby, compared to other users, and since I have no intention
to accept this, it would effectively mean that I would also
abandon ruby in the long run.

Ruby is a great language, but to me mandatory 2FA is not
acceptable. While this is not the fault of redmine itself,
I think usability wise several things could be improved.

I assume none of you guys so far thought about how this
could cause friction and strife, so hopefully the way how
2FA is explained to users can change in the long run. I
had slowly collect that information since nothing
was announced anywhere! Suddenly from one day to the
other I was slapped into the face with that 2FA wall,
so perhaps you can understand my frustration here.


Related issues

Related to Redmine - Defect #35087: Users without two-factor authentication enabled cannot si... Closed
Related to Redmine - Feature #34070: Allow setting a grace period when forcing 2FA New
Related to Redmine - Feature #31920: Require 2FA only for certain user groups Closed
Related to Redmine - Feature #1237: Add support for two-factor authentication Closed 2008-05-14

History

#1 Updated by Go MAEDA 6 months ago

  • Related to Defect #35087: Users without two-factor authentication enabled cannot sign out when two-factor authentication is required added

#2 Updated by Go MAEDA 6 months ago

robert heiler wrote:

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

We should be able to log out (sign out) again.

I have posted a patch for this: #35087

#3 Updated by Go MAEDA 6 months ago

I think it is not a problem with Redmine itself that the admin of bugs.ruby-lang.org suddenly set two-factor authentication required, but what do you think should be done to improve Redmine for this?

#4 Updated by Marius BALTEANU 6 months ago

I think the following two open issues will improve the current 2FA implementation:

#5 Updated by Marius BALTEANU 6 months ago

  • Related to Feature #34070: Allow setting a grace period when forcing 2FA added

#6 Updated by Marius BALTEANU 6 months ago

  • Related to Feature #31920: Require 2FA only for certain user groups added

#7 Updated by Marius BALTEANU 4 months ago

  • Related to Feature #1237: Add support for two-factor authentication added

#8 Updated by Go MAEDA 4 months ago

  • Status changed from New to Closed
  • Resolution set to Invalid

robert heiler wrote:

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

Fixed in #35087. Thank you for pointing it out.

(2) The bigger issue is that I don't get any information about
WHY 2FA is suddenly used, and who enabled it.

We cannot do anything about this. Please contact admins of https://bugs.ruby-lang.org/ or consider using a 2FA app that runs on PC.

Also available in: Atom PDF