As an admin I should be able to force MFA setup and MFA at every login for my users

grandahl · June 25, 2019, 11:23am

Checklist
I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi we have bought Passbolt Pro because of 2FA.
We have set it up and it seems in the administrator interface that everything is working.
We have set it up for Google Authenticator and DUO.

The issue is that it is not working, when we write our password at login, it is just logging us in without asking for 2FA… I am thinking it could be something to do with expire time on 2FA, so how can i disable that so it ALWAYS asks for 2FA ?

remy · June 25, 2019, 11:47am

hi @grandahl,

The MFA functionality was designed with different requirements. By default the MFA authentication is valid for 72h and is resetted if the user agent changes. This is similar to how MFA works on large websites such as google, where there is a balance between usability and security.

However we can implement an option for an administrator to enforce the behavior you mention (MFA required for every login, including the first one). In that regard, I’m changing this issue as a feature request. We will tackle it at some point.

In the meantime you can shorten the life of the authentication token (this will affect other tokens, such as the registration emails token), using the environment variable PASSBOLT_AUTH_TOKEN_EXPIRY (by default set to ‘3 days’). If you set it 24h your users will require MFA at least once a day.

Feel free to contact us on support@passbolt.com if you have further questions.

grandahl · June 25, 2019, 12:20pm

Thanks for the quick feedback

It would be awesome if it gets implemented

remy · June 25, 2019, 12:21pm

It will be, I’ll personally work on it!

system · June 30, 2019, 12:26pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

Speatzle · November 22, 2020, 11:58am

Did a Feature get Implemented for this? We are currently facing the same issue.

remy · October 20, 2022, 9:37am

Specs for MFA enforcement: MFA policy settings - Requirements & specifications - Google Docs

Missing specs for a setting to “disable remember me” option on MFA.

garrett · March 24, 2023, 1:40am

Done with release: New Release: v3.11.0 ~ Regular

shootify · April 23, 2023, 12:17am

HI Garrrett, i just update to 3.12 and i dont see the option to force users to set up 2FA!

garrett · April 23, 2023, 12:33am

Are you on Pro version?

shootify · April 23, 2023, 12:35am

ohoh. community… :). thanks

shootify · April 24, 2023, 6:07am

any plan to implement it on CE?

garrett · April 24, 2023, 12:35pm

I think the best response is to remember that the Pro version features are addressing the needs and concerns of professional teams. Many of the features were requested by those professionals. If you are leading a professional team or need to source a tool for one, have you considered Pro?

As it is in CE, it is shown who has MFA enabled or not. So, the admin can take action and force it, though not automatic. By “force it” I mean talk to the person, and disable their account, etc if they don’t do it.

russellnomer · May 24, 2023, 2:43pm

It would be really useful to have a force MFA in the community edition too and to be able to report on users who are and are not using MFA. This is particularly useful for startups seeking attestations to specific security standards.

clayton · May 25, 2023, 6:50am

@russellnomer welcome to the forum!

The MFA status is visible in the users workspace, but can be a bit tedious if you have a lot of users. One way to report on this would be to directly query the database. The following is a quick query you could run occasionally to report on this:

select users.username
from users
left join account_settings on users.id=account_settings.user_id
where users.username not in(select users.username
                            from users
                            left join account_settings on users.id=account_settings.user_id
                            where account_settings.property = 'mfa' 
                            ) 
and users.active=1 and users.deleted=0;

shootify · June 2, 2023, 6:40pm

sorry but i am confused, was this feature requested finally added or not yet to the CE?

garrett · June 2, 2023, 7:29pm

@shootify No.

I see you keep asking when features are going to be in CE so I thought I would speak to this a bit. As you know there are two versions, Pro and Community Edition. It might be a misunderstanding that Community Edition is simply a downstream delayed version of Pro. It’s not.

In the case of some features, they won’t be in CE.

Though there have been some exceptions along the way, Pro should be seen as having additional features that make management for teams easier, vs possible.

Like this feature with which users are using MFA. In both versions, it’s possible to use MFA. It’s possible to see who’s using it in CE via querying the db, but it’s more convenient in Pro with an enforcement of it.

If convenience is valuable, consider the Pro version. Pro doesn’t only offer additional features, it comes with service when there’s problems.

shootify · June 2, 2023, 9:52pm

thanks, FYI, ill be evaluating the PRO Version, however i am more inclined to CE, in fact, I always tent to use CE for this kinda of projects, but PRO is on my list.
I like the fact the developer showing love the the CE, so its important NOT to take any basic feature out of it.
thanks a lot.

garrett · June 2, 2023, 11:49pm

There are a lot of examples out there (Centos, Owncloud, pfsense, etc) that have a “corporate” upstream and a - what shall I call it? A starving dog community version.

Passbolt is not that at all.

The Community Edition is legit in its own right. Both it and the Pro version are developed simultaneously by the same team. And I would call the Pro version the heavy lifter. The team needs to eat and in addition to investments like startups have, they run a business.

In this sense, I want passbolt Pro to hit it out of the park for teams that have high standards. I’ve helped some with the service side in the past and it’s personal like taking your car in to someone you trust. That’s how customers see it, so that’s how the team sees it.

I do also think that with Passbolt it’s not hard to be supportive in the spirit of giving back to open source. Although they want to be transparent for security reasons, in my opinion they have also been very generous in the product path feature-wise.

As the community grows we need more people helping the brand new users who install it fresh and run into issues. After awhile, folks here come to see the progress continues like clockwork without asking when or whether. Passbolt has a good team and a clear vision and it’s inherently hard work to do right. It must be done right.

My job, as I see it, is to pitch the idea that the community here can also reflect this. That as a community we can enjoy an understanding that the team is a good one, that they work hard and care about not cutting corners. That we would enjoy working with them as colleagues and there is a culture of listening around here that makes it easy to be heard.

We can be thankful, and express support for them to be confident as they choose what they see as the best option on how to offer each feature in either version. We all win when they are doing well.

Thanks @shootify for recognizing the devs, it helps. They read it.