Re: [SOGo] MFA settings
Op 09-12-2021 om 08:04 schreef Christian Mack (christian.m...@uni-konstanz.de): Good point. Like enforcing password changes. You could open an enhancement request for that on https://sogo.nu/bugs/ Done, here: https://www.sogo.nu/bugs/view.php?id=5446 MJ -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] MFA settings
Hello On 08.12.21 22:00, mj (li...@merit.unu.edu) wrote: > Hi Chistian, > > Op 08-12-2021 om 18:17 schreef Christian Mack > (christian.m...@uni-konstanz.de): >> How does the user get its TOTP initializon vector then? >> She/he can not login without it, but can only scan the QR code while >> logged into SOGo ;-) > > Well obviously it would mean: After the admin forces it, on the next > login, those users would be required to setup and activate MFA. > Good point. Like enforcing password changes. You could open an enhancement request for that on https://sogo.nu/bugs/ >> What for? >> Either you want to protect your account with 2FA or not. >> You can use long sessions, therefore only login once a day. > > You could require MFA from WAN, and not require it from LAN/VPN, for > example. That's not unusual. >> But I understand from your replies that you don't see it that way ;-) > Yes, in my opinion that habit is a relict of times, when you could trust your own network and all devices on it. In times of bring-your-own-device and using private Smartphones all the time, this does not apply anymore. Every client can be infected, and should be treated as such. I know, security is annoying. Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416 smime.p7s Description: S/MIME Cryptographic Signature
Re: [SOGo] MFA settings
Hi Chistian, Op 08-12-2021 om 18:17 schreef Christian Mack (christian.m...@uni-konstanz.de): How does the user get its TOTP initializon vector then? She/he can not login without it, but can only scan the QR code while logged into SOGo ;-) Well obviously it would mean: After the admin forces it, on the next login, those users would be required to setup and activate MFA. What for? Either you want to protect your account with 2FA or not. You can use long sessions, therefore only login once a day. You could require MFA from WAN, and not require it from LAN/VPN, for example. That's not unusual. But I understand from your replies that you don't see it that way ;-) Thanks! MJ -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] MFA settings
Hello Am 08.12.21 um 09:19 schrieb mj (li...@merit.unu.edu): > Hi, > > We are looking at the MFA settings in SOGo, and it seems to work fine. > > However, it seems a bit basic: you can only turn it on and off yourself > for your own account. Unless we miss something? > > Are there also settings like: > > - admin forced mandatory MFA for all or specific users? How does the user get its TOTP initializon vector then? She/he can not login without it, but can only scan the QR code while logged into SOGo ;-) > - define 'trusted' IP ranges that are excluded from MFA? > What for? Either you want to protect your account with 2FA or not. You can use long sessions, therefore only login once a day. > I've searched the docs on > https://www.sogo.nu/files/docs/SOGoInstallationGuide.html but it doesn't > mention any config for MFA. > Correct, there are none. Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre 78457 Konstanz +49 7531 88-4416 smime.p7s Description: S/MIME Cryptographic Signature
[SOGo] MFA settings
Hi, We are looking at the MFA settings in SOGo, and it seems to work fine. However, it seems a bit basic: you can only turn it on and off yourself for your own account. Unless we miss something? Are there also settings like: - admin forced mandatory MFA for all or specific users? - define 'trusted' IP ranges that are excluded from MFA? I've searched the docs on https://www.sogo.nu/files/docs/SOGoInstallationGuide.html but it doesn't mention any config for MFA. Thanks, MJ -- users@sogo.nu https://inverse.ca/sogo/lists
