Passbolt MFA integration and flow

Currently doing extensive testing on PB4.1.0 - particularly the upgrade/migration process and MFA, both DUO and TOTP.

Passbolt should really consider implementing a way to set and ENFORCE MFA for all users… allowing everyone to decide if they want to enable MFA is not a realistic approach.
*we have patched together a work-around for this with a scheduled/trigger simple INSERT/UPDATE query to passbolt database account_settings table. This works fine for now to solve this critical requirement, but should really be part of the base system.

It would be fantastic if the additional, intermediate, click-though dialog for MFA could be removed. It simply adds another click, time and frustration for people already annoyed by MFA inconvenience. We took a quick look through the code and could not see a programming reason this dialog is necessary but maybe we are missing the reason this is in place.

:wave: Hey @Cordeos,

Passbolt does provide MFA enforcement using Password Policy (Pro) released with v3.9.0. By default, it’s always up to users to decide if they have to enable MFA or not.

Regarding the intermediate dialog when MFA is enabled, currently there is no way to bypass the Duo dialog. For other MFA providers than Duo, you can select “Remember this device for a month” checkbox when performing a MFA so that it won’t show MFA dialog for a month.

We have created a internal ticket (PB-16115) to check the possibility to support “Remember this device for a month” option for Duo as well.

Thank you for the kind reply - but I think there might be a misundertanding of the items we noted:

  1. MFA of the preferred type should be able to forcible set to ENABLED on all existing accounts and by default on any new accounts by the admin setting and users cannot disable it (or as our work-around currently accomplishes, it is automatically re-enabled within 2-hrs). We have not seen any documentation or information regarding this in either PRO or CE versions.

We strongly disagree 2FA should be up to the users - most will ‘conveniently’ forget to enable, not know how to, or just never get around to it - even if it is a team requirement. Completely defeats the purpose of better security if half the team does not have it enabled.

  1. We would not vote for a ‘remember this device for a month’ - we definitely would not want this and would go to great lengths to disable this option if it ever became reality. We absolutely would not want users able to logon for a month without getting an MFA prompt. We would strongly want to disable any ‘forget this device’ period more than 24-hrs at most.

You mentioned there is no way to bypass the DUO MFA dialog - but it begs the question… why is this extra step/click there?

Thanks for clearing it up for me.

I see you want an option to enforce an MFA policy that blocks access to passwords if the user has not set up the MFA. Which makes sure all users who are using the passbolt have enabled the MFA. Hope this is what you are proposing?

Regarding #2, I understand your concern, we will investigate if we can reduce the additional Duo MFA dialog page(ticket for internal reference: PB-25322), if not that at least redirect the user automatically to the Duo verification page without any user interaction.

Actually, we are proposing an admin ability to have MFA automatically setup FOR users and cannot be changed by them (aka enforced). Users have no need or ability to enable (or disable) MFA for themselves. So unless they have the proper MFA already in place they would never be able to logon to passbolt at all, except for the initial enrollment. As an example, here is a simplified version of the UPDATE/INSERT SQL we use in a side-band scheduled fashion to accomplish this now (in testing/dev systems):

INSERT INTO account_settings (id, user_id, property_id, property, value, created, modified)
SELECT uuid() as entryid, as userid,
‘${$passbolt_mfa_propertyid}’ as property_id,
‘mfa’ as property,
‘{“providers”:[“duo”],“duo”:{“verified”:“${$execute_timestamp}”}}’ as value,
now() as created, now() as modified
from users U
where AND U.deleted=0;

1 Like

@ishan - We do want to thank you for taking the time to read and respond to our forum message. It is extremely kind and sincerely appreciated.

Hi Guys,
I think was @Cordeos is proposing is the right approach for any password manager, hope the developers implement this in the CE as its essential.
thanks a lot.

1 Like

Can the MFA option be added to select specific users to enforce MFA, as opposed to just “OPT In” or “Everyone/All”?