As an admin I should be able to force MFA setup and MFA at every login for my users

grandahl · December 9, 2020, 1:55pm

Checklist
[x] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

Hi we have bought Passbolt Pro because of 2FA.
We have set it up and it seems in the administrator interface that everything is working.
We have set it up for Google Authenticator and DUO.

The issue is that it is not working, when we write our password at login, it is just logging us in without asking for 2FA… I am thinking it could be something to do with expire time on 2FA, so how can i disable that so it ALWAYS asks for 2FA ?

remy · December 9, 2020, 1:54pm

hi @grandahl,

The MFA functionality was designed with different requirements. By default the MFA authentication is valid for 72h and is resetted if the user agent changes. This is similar to how MFA works on large websites such as google, where there is a balance between usability and security.

However we can implement an option for an administrator to enforce the behavior you mention (MFA required for every login, including the first one). In that regard, I’m changing this issue as a feature request. We will tackle it at some point.

In the meantime you can shorten the life of the authentication token (this will affect other tokens, such as the registration emails token), using the environment variable PASSBOLT_AUTH_TOKEN_EXPIRY (by default set to ‘3 days’). If you set it 24h your users will require MFA at least once a day.

Feel free to contact us on support@passbolt.com if you have further questions.

grandahl · June 25, 2019, 12:20pm

Thanks for the quick feedback

It would be awesome if it gets implemented

remy · June 25, 2019, 12:21pm

It will be, I’ll personally work on it!

system · June 30, 2019, 12:26pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

remy · July 22, 2020, 10:31am

Speatzle · November 22, 2020, 11:58am

Did a Feature get Implemented for this? We are currently facing the same issue.