Is there a way to require moderators and admins to use two factor authentication?
I thought there was a setting, but cannot find it in the current version.
I don’t think such a setting exists!
But it may exist in future.
No, you can’t require it but you can easily see who enabled 2FA from /admin/users/list/staff:
7 Likes
Moved this topic to feature. I recently enabled mandatory 2FA on our mattermost server and I really like how it worked. I think we could do this quite nicely in Discourse by following a similar process:
- Admin enables site setting
enforce 2FA:staff - If other staff users are logged in, and have 2FA configured, great! Nothing to do here.
- If other staff users are logged in, but do not have 2FA configured, redirect them to 2FA configuration page. Users cannot do anything else (except log out) until they’ve configured 2FA.
- If other staff users are logged out, upon next login immediately redirect them to 2FA configuration page. Users cannot do anything else (except log out) until they’ve configured 2FA.
Other valid options for the site setting would be none, admins, and all. I think in most cases (especially public boards) all is overkill, but I could see this as a benefit for internal sites.
13 Likes
Thanks again for the suggestion @nibl. This is now on the list to be included in Discourse Version 2.3 (list always subject to change).
6 Likes