As an admin I should be able to force MFA setup and MFA at every login for my users

[x] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

Hi we have bought Passbolt Pro because of 2FA.
We have set it up and it seems in the administrator interface that everything is working.
We have set it up for Google Authenticator and DUO.

The issue is that it is not working, when we write our password at login, it is just logging us in without asking for 2FA… I am thinking it could be something to do with expire time on 2FA, so how can i disable that so it ALWAYS asks for 2FA ?

hi @grandahl,

The MFA functionality was designed with different requirements. By default the MFA authentication is valid for 72h and is resetted if the user agent changes. This is similar to how MFA works on large websites such as google, where there is a balance between usability and security.

However we can implement an option for an administrator to enforce the behavior you mention (MFA required for every login, including the first one). In that regard, I’m changing this issue as a feature request. We will tackle it at some point.

In the meantime you can shorten the life of the authentication token (this will affect other tokens, such as the registration emails token), using the environment variable PASSBOLT_AUTH_TOKEN_EXPIRY (by default set to ‘3 days’). If you set it 24h your users will require MFA at least once a day.

Feel free to contact us on if you have further questions.

Thanks for the quick feedback

It would be awesome if it gets implemented :slight_smile:

1 Like

It will be, I’ll personally work on it! :slight_smile:

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

Did a Feature get Implemented for this? We are currently facing the same issue.