CE MFA migration/restore issue [changing ssl or domain will break mfa in migration]

Installation Issues
1

Hi all,

I am fairly new to Passbolt so please do bear with me. I am a system administrator currently in the process of setting up MFA for a small company and am testing out the basics before deploying company-wide. For all our users MFA will be “enforced” (I am aware it is not actually possible to enforce but I will regularly be checking the list and pestering anyone who does not have MFA enabled). I am aware this is a fairly new addition to the CE and wonder if there is anything additional that needs to be backed up/transferred over if restoring Passbolt? I am using Duo (TOTP).

When I migrated over, I set everything up as normal, then imported the passbolt.php file and main passbolt database. I went through the online setup and imported the PGP key successfully; the public key generated matched the public key from the original server. So far so good. I try to log in as myself, am asked for my private key which is accepted, however the OTP is not accepted at all. I checked and the timezone was right. Even weirder, after this I could no longer log into my original account with TOTP! I had to get the only other admin to disable MFA for me.

One thing that might have caused this was that I was using a different hostname and no SSL, would this be relevant? Or is there some sort of MFA file/config I should be transferring across? (Btw, the combination of (a) Passbolt’s difficulty handling of more than one user on a browser and (b) insistence on a browser extension make testing extremely difficult).

Please let me know if you have any insights. Thanks,
Joe

2

Hi @joe Welcome to the forum!

Not related to backup, but just an FYI this MFA method doesn’t work on mobile yet.

Even changing from http to https will considered as a “different site” from the extension’s point of view and would require a re-install of the extension (which would use the recovery process as you are describing). Regarding a different hostname - if the install is using the hostname at all for DNS resolution, this may cause a problem if it’s changed (among other possible effects).

It’s not an insistence on an extension - the extension is core to the security model of passbolt. see: Passbolt Help | Why do I need a browser extension?

Regarding more than one user on a browser - if multiple users are using the same login on the same machine and using a Chrome browser they can have separate profiles in the Chrome browser and this facilitates having multiple extensions/passbolt users.

Can you run your backup test again with the first installation using https and same hostname so that the backup attempt is also same hostname, domain and also https? This will help isolate your scenario regarding TOTP. I think we would expect it work without the other changes in the mix.

3

Ok, I set up the SSL certs and changed the hostname and it did indeed work! Thanks Garrett! Also thanks for the tip re multiple profiles.

Cheers once again,
Joe

1 Like