DaanHoogland commented on PR #7870: URL: https://github.com/apache/cloudstack/pull/7870#issuecomment-1683494956
> > > > In addition to @harikrishna-patnala 's comment, I wonder if scenario 11 is really what we want? As an operator I want to force my users to use f2a. scenario 11 negates that. what do you think @winterhazel ? > > > > > > > > > good point @DaanHoogland > > > @winterhazel can you test if `mandate.user.2fa` is set to `true` ? > > > > > > @DaanHoogland @weizhouapache > > You can force users to use 2FA by enabling the global setting `mandate.user.2fa`. If this setting is set to `true`, when a user disables his 2FA through the `setupUserTwoFactorAuthentication` API, he will need to reconfigure it next time he logins in order to proceed. I have tested it. > > However, I think we can reconsider the behavior of this API to not allow users to disable their 2FA in the first place when this setting is enabled and return a message saying that 2FA is mandatory, since users may think the current behavior is a bug. > > I would say we can still allow disabling the 2FA just in case user wants to reset the 2FA settings to use other provider. To provide more visibility to the user we can pop up a warning message when user tries to disable 2FA saying something like "2FA needs to setup again since it is mandated by the admin" This makes sense @harikrishna-patnala , but would not have to be included in this PR. It seems like a separate improvement. cc @weizhouapache @winterhazel ?? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
