-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow each admin user to choose which 2fa providers to setup #273
Comments
2FA module was moved to https://github.com/magento/security-package/. |
Thank you @ihor-sviziev |
Hi @willjones-stratagem. Thank you for your report. Please, add a comment to assign the issue:
|
@willjones-stratagem Thank you for the report! This is by design. Once a user has configured all enabled providers they are able to choose which one they want to authenticate with. |
To expand on my explanation, your users can configure the one they have access to at the time, then later when they have access to another they can configure the second one. You can skip configuration of a provider as long as you have at least one already configured. Once they have both configured they can simply choose which one they want to use at a given time. |
@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login. |
What about adding multiple yubikeys as backup keys ? as you know when getting a hardware based token, you would always need a backup key which you should register with the service that provides that @nathanjosiah correct me if i am wrong however but there is the possibility to do so as in the encrypted stored json data
Doesn't the above mean that we should be able to add in X yubikeys ? as an example ? looking into all of the services that provide 2FA -> configuration should be doable from Admin panel as well on user level to add in 2FA / change the 2FA / add in new security keys as extra methods and have a list of generated backup codes that is basic in regards to 2FA. |
@alucardatem yes, that is correct. The implementation was built with this forward-compatibility should it ever be implemented since it was a relatively common use case within u2f keys. However, u2f keys are not very common so there isn't a lot of push for this (or really any new 2fa features) and subsequently our product teams do not have anything on the roadmap at the moment for this feature. That said, something that may be of interest to you is that we do have something on the roadmap that would minimize the number of times you need to complete a 2fa challenge while using the same device. A sort of "remember me" feature. |
@nathanjosiah - while the "remember me" feature is something nice to have, i think that users should have the possibility of changing the secret on the google auth ( re-implementing it or turning it off ) or having the option to use backup codes. but adding hardware tokens has become an essential security practice these days inside a lot of businesses and something like that inspires more trust to a merchant and a day to day operations user of the admin panel for a member of staff of client X from company Y, and would also take the load off a single administrator to issue "resets" every time someone "forgets" or loses the phone etc. And to be honest, in this case at lease as i am seeing it combining the "remember me" for 2fa / login etc what it will be called ( similar to what last pass uses i would assume ) would be a really exciting feature and capability of magento which will put it ahead of competitors? |
We have multiple cases in our customer base where some admins would like to use only google auth, others would like to use only hardware keys, and some would like to have both. Currently, such a flow has really bad UX because in case an account has only one provider configured, the admin is forced to receive the email to configure the second one, and only after clicking the link in the email admin is able to click "Skip until next login" to use already configured provider. Could you explain why skipping is not possible directly after the login screen (having of course at least one provider configured) without a need to receive an email and clicking on the link there? |
Why is this closed ? and how can we set this to skip from the start and not go through X emails and bad workflows over this ? now you can imagine that currently we have Google authenticator / authy / uf2 keys ==> that means that the person who uses the u2f key has to do skip on 2 emails before logging in. |
@alucardatem just for your information, since we cannot wait for Magento's official fix, we created a module that solves that issue: https://packagist.org/packages/creativestyle/magesuite-tfa-do-not-force-all-providers |
@diwipl - done something similar ( internally ) :D without the skip.. it is just the show all providers in order to login directly via that one however do like the skip second activation. thank you |
@nathanjosiah please can you re-open this so that it can be resolved properly. |
I'm going to look into this again. One of my teams may have availability to work on this. |
Preconditions
Steps to reproduce
Enable (and configure) the following 2FA providers:
Expected result
A user can choose between one of the three 2FA methods.
Actual result
Magento expects all three 2FA providers to be configured for every user account and it is not possible to pick and choose which provider is used on a per user basis.
Configuring multiple 2FA providers causes the system to see them all as forced providers, meaning that they have to be configured for each and every user in the system as opposed to allowing a user to choose between one of the enabled providers.
This is a problem, considering that merchants may wish to configure the second factor authentication method on a user or role basis. For example, store administrators may wish to use Duo, whereas employees dealing with order fulfillment (who perhaps don't need to access the admin area out of hours and not have mobile phones on them during their day) may need to use a U2F such as Yubikey or similar.
The current implementation does not allow for this use case, which seems like it should be a very obvious option that should be included.
The text was updated successfully, but these errors were encountered: