Ok, I understand from a community vs paid version why you initially set the MFA options in the community version to not allowed to be forced on. However, in today’s world where 2FA is the next layer of security for everything it doesn’t make sense not to allow admins on the community version not to enforce it.
Just think of it this way, if any company decided to not pay for Passbolt because the CFO and CEO are too cheap, and some hacker manages to gain access to their passwords lists it could look very bad in the consumer’s eye. The best thing to do would either provide MFA/Duo with the enforcement option in the community version or remove it all together and only provide it as an option in the paid version.
Hello @3GLighting,
Thanks for sharing your valuable feedback.
if any company decided to not pay for Passbolt because the CFO and CEO are too cheap, and some hacker manages to gain access to their passwords lists it could look very bad in the consumer’s eye
I have to say that Passbolt is already MFA by default, because you have to provide the recovery kit which is the private key and you have to know the passphrase associated to it. It means that you have the knowledge factor which is the passphrase and you have the possession factor which is the private key.
On top of that, we’ve implemented MFA e.g. with TOTP, YubiKey or DUO as you were mentioning, currently in the PRO version with MFA Policy we give the choices to administrator to prompt their users in order for them to configure MFA. However, we are not enforcing it. Users are still able to opt-out but they will be reminded every time they logging in.
A potential workaround would be for the administrators running Passbolt CE to monitor that their users enabled MFA from the Users workspace. It could also be an internal policy.
As of July 1st MS will be enforcing MFA on their 365 to all clients. I am sure you will see other vendors doing the same. Here as our office if an employee decides they won’t want to use MFA to get their 365 emails, then all they get is internal company email access nothing external since a lot of Systems Admins don’t know how to manage their 365 limiting the risk access from the outside it makes sense why MS wants to enforce.
And maybe I was also using a too strong of word I meant ideally prompt users to start using but make so they continue to be prompted that they bug the Systems Admin who reminds them why it’s important to have it.
