I recently started enforcing MFA for all users on my forum and I was told that many users would be unable to see the thread that provides advice on how to use MFA (many users are not technical).
While the article is accessible to anonymous users, if a user is logged in, but not MFA enrolled they can’t see any of the site. They’re stuck on the user security preferences with this:
While I personally expect a user to be able to handle this, I have advised users who don’t use authenticator apps and privacy paranoid users on how to use MFA in a “more private way”.
Spare me the lectures, I know.
It would be nice if I could embed information in the enforcement message I could help users more like including a recommended password manager or authenticator app, or advise users to make sure their time is accurate on the device with the authenticator. Otherwise many users who are admittedly ignorant will have a bad experience and fight me more than they already are.
On a side note as well, passkeys are MFA, that should be resolved.
Editing the site text as mentioned above is the simplest way to provide some instruction, but you’re limited to text-only in that context.
If you want to add some HTML (links, images, etc) you can create a new theme component from the themes & components admin area.
From the components tab (admin/config/customize/components) you can click “install”, then “create new”, give it an obvious name… and then once your component is created, “edit code.”
From there you would go to the JS tab and can add something like this
import { apiInitializer } from "discourse/lib/api";
const CustomMessage = <template>
<div class="custom-2fa-message">
Your custom content here above the existing content.
<a href="#">Example link</a>
</div>
</template>;
export default apiInitializer("1.0", (api) => {
api.renderBeforeWrapperOutlet("user-second-factor-wrapper", CustomMessage);
});
From the not-what-you-asked-for Department, maybe you give people a week or a month to get two-factor turned on and nag them until they do somehow. Yeah, current_user has a second_factor_enabled in it, so you could put up a big “THE END IS NEAR” banner for those who haven’t managed yet with a link to the instructions.
This way you can add links or whatever HTML content you want