Feature #35439

Option to require 2FA only for users with administration rights

Added by Marius BALTEANU 3 months ago. Updated 3 months ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:Marius BALTEANU% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:

Description

#31920 adds the option to enable 2FA only for certain groups when the 2FA setting is set to optional. This is very useful, but it doesn't cover the case when you want to enable 2FA only for administrators. As a best security practice, if you cannot enforce for all users, the administrators should be top priority to secure using 2FA.

My proposal is to add a new setting to allow enforcing 2FA only for administrators:

What do you think?

2fa_optional.png (83.9 KB) Marius BALTEANU, 2021-06-22 23:21


Related issues

Related to Redmine - Feature #1237: Add support for two-factor authentication Closed 2008-05-14

History

#1 Updated by Marius BALTEANU 3 months ago

  • Related to Feature #1237: Add support for two-factor authentication added

#2 Updated by Bernhard Rohloff 3 months ago

+1 I like the idea. It sounds very reasonable.
One thing I would like to mention is that it doesn't take much to remove the tick from the checkbox as an administrator without the other admins taking notice of the change.
Wouldn't it be better to have this setting in the configuration.yml to have more control on who can change it? Another option could be that every administrator gets notified if this option gets disabled.

#3 Updated by Marius BALTEANU 3 months ago

Bernhard Rohloff wrote:

Wouldn't it be better to have this setting in the configuration.yml to have more control on who can change it? Another option could be that every administrator gets notified if this option gets disabled.

A notification sounds better to me.

Also available in: Atom PDF