Requiring 2FA for staff

planned

(Marcus) #1

Is there a way to require moderators and admins to use two factor authentication?

I thought there was a setting, but cannot find it in the current version.


Discourse Version 2.3
(Bhanu Sharma) #2

I don’t think such a setting exists!
But it may exist in future.


(Daniela) #3

No, you can’t require it but you can easily see who enabled 2FA from /admin/users/list/staff:

image


(Joshua Rosenfeld) #4

Moved this topic to #feature. I recently enabled mandatory 2FA on our mattermost server and I really like how it worked. I think we could do this quite nicely in Discourse by following a similar process:

  1. Admin enables site setting enforce 2FA : staff
  2. If other staff users are logged in, and have 2FA configured, great! Nothing to do here.
  3. If other staff users are logged in, but do not have 2FA configured, redirect them to 2FA configuration page. Users cannot do anything else (except log out) until they’ve configured 2FA.
  4. If other staff users are logged out, upon next login immediately redirect them to 2FA configuration page. Users cannot do anything else (except log out) until they’ve configured 2FA.

Other valid options for the site setting would be none, admins, and all. I think in most cases (especially public boards) all is overkill, but I could see this as a benefit for internal sites.


(Joshua Rosenfeld) #17

Thanks again for the suggestion @nibl. This is now on the list to be included in Discourse Version 2.2 (list always subject to change).