Project

General

Profile

Actions

Feature #35086

closed

Please consider changing the way how 2FA is set up

Added by robert heiler over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid

Description

Hey guys,

I don't want to write too much, so it is not hard for you to handle this
issue.

Recently the ruby bug tracker has been changed to require 2FA.

This is a problem for me as I don't have a smartphone, so the change
locked me out of the bug tracker.

Anyway - this is not about that; I would like to suggest a few things.

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

We should be able to log out (sign out) again.

Anyway this is a smaller part.

(2) The bigger issue is that I don't get any information about
WHY 2FA is suddenly used, and who enabled it. Yes, I get it,
the site owner did so, but perhaps the site owner was not aware
that this will effectively perma-ban some users. Not everyone
has a smartphone or can use 2FA. I already explained this
on rubygems.org the github issue tracker, that mandatory 2FA
means I can no longer use rubygems, so I'd have to remove
my account at rubygems.org (whereas at github I could still
publish that code, so this is weird...)

Please consider (2), because it means that the admin of a
site may accidentally retire people from ruby, without
even intending to do so. To me this is a dealbreaker,
because it means I can no longer use the official bug tracker
of ruby, which then means I can no longer voice my concern
(I don't use emails really ... never liked emails in ~over
20 years...). That means I'd become a second class citizen
to ruby, compared to other users, and since I have no intention
to accept this, it would effectively mean that I would also
abandon ruby in the long run.

Ruby is a great language, but to me mandatory 2FA is not
acceptable. While this is not the fault of redmine itself,
I think usability wise several things could be improved.

I assume none of you guys so far thought about how this
could cause friction and strife, so hopefully the way how
2FA is explained to users can change in the long run. I
had slowly collect that information since nothing
was announced anywhere! Suddenly from one day to the
other I was slapped into the face with that 2FA wall,
so perhaps you can understand my frustration here.


Related issues

Related to Redmine - Defect #35087: Users without two-factor authentication enabled cannot sign out when two-factor authentication is requiredClosedGo MAEDA

Actions
Related to Redmine - Feature #34070: Allow setting a grace period when forcing 2FANewMarius BĂLTEANU

Actions
Related to Redmine - Feature #31920: Require 2FA only for certain user groupsClosedMarius BĂLTEANU

Actions
Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions

Also available in: Atom PDF