Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit MFA scope to member groups #398

Open
brynwhyman opened this issue Jul 9, 2020 · 1 comment
Open

Limit MFA scope to member groups #398

brynwhyman opened this issue Jul 9, 2020 · 1 comment
Labels
affects/v4 complexity/medium impact/low type/enhancement New feature or request type/UX

Comments

@brynwhyman
Copy link

brynwhyman commented Jul 9, 2020
edited by GuySartorelli
Loading

Overview

We've heard from project teams that adding MFA to some sites is blocked if the project includes members that do not have access to the CMS.

In these cases, Site Owners would like the MFA flow to only apply to certain users that have some level of access to the CMS.

A common example is where member profiles are being used to store customer login details for a separate portal managed within the site.

Options

In both of these options, if a user has already registered MFA for their account, they will continue using MFA each time they log in regardless of MFA settings.

Regardless of which option we select, we have to decide:

  • Is being prompted to register with MFA the first time you log on necessary for anyone who has the option of using MFA? (I strongly recommend yes)

Option 1: If you're not in the group, you can't register MFA for your account

This is the behaviour of the existing PR.

  • By default, no group is selected and the behaviour applies to everyone
  • You can select groups for both making MFA optional and for making MFA required.
  • If you select one or more groups, only members of those groups will be prompted to or allowed to register for MFA

Option 2: Groups only apply for making MFA required

This was suggested (and designed for) in #409 (comment) but later rejected in favour of option 1

  • By default, no group is selected and the behaviour applies to everyone
  • If you make MFA optional, you cannot select groups. Optional is optional for everyone
  • If you make MFA required, you can choose to only make it required for specific groups. For anyone not in those groups, MFA will be optional - i.e. the behaviour for them will be identical to how it is when setting optional for everyone.

PRs
@brynwhyman
Copy link
Author

I thought this would have been partly possible by at least only limiting the MFA flow to users who have some sort of access to the CMS, but apparently that's not the case.

I'm tracking down more information on this.

@scott-nz scott-nz mentioned this issue Oct 29, 2020
Draft
@GuySartorelli GuySartorelli self-assigned this Oct 1, 2023
@GuySartorelli GuySartorelli mentioned this issue Oct 2, 2023
Draft
@GuySartorelli GuySartorelli removed their assignment Oct 2, 2023
@GuySartorelli GuySartorelli removed their assignment Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects/v4 complexity/medium impact/low type/enhancement New feature or request type/UX
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bergice @emteknetnz @brynwhyman @GuySartorelli @sabina-talipova