Meshcentral: force2factor doesn't force (two) factor

Created on 12 Dec 2020  路  6Comments  路  Source: Ylianst/MeshCentral

It appears that even with "passwordRequirement":{"force2factor":true} set in config.json, adding a new user (via command line or GUI) doesn't force that user to set up MFA upon their initial login. The user still has to actually go to My Account > Account Security > Manage Authenticator App which, IMHO, negates the whole idea of setting this config option in the first place. With this config option set, I should be able to set up any user and the application should see that their security settings aren't recorded in the database and therefore immediately force them into setting up their MFA, before they can do anything else within the application.

Fixed - Confirm & Close bug
Source
picture D4V3M0NK

All 6 comments

Upon login, the user should see a nag screen saying that they must setup 2FA before they can interact with any devices or create any device groups. Next time I am working, I will check to make sure it's not broken.

Ylianst picture Ylianst on 12 Dec 2020
👍1

As per screenshot in #2071, I didn't have "no2FactorAuth": false set in the config (I just had the "force2factor": true set), but that didn't seem to make any difference

D4V3M0NK picture D4V3M0NK on 12 Dec 2020

Actually @Ylianst when I log in (without MFA set up ) and select Device Group, you're absolutely right - I do see the nag screen - however, it appears that I can still go into other areas of the application (including Users where I can delete them, if an admin) and potentially cause issues.

I appreciate that this is a perception but IMHO, if MFA is to be used and forced for users, the application shouldn't permit any access to anywhere, other than to set up that users MFA device. It should be only after that's been accomplished, that the user can then proceed into the application proper and interact with all permissible functions.

D4V3M0NK picture D4V3M0NK on 13 Dec 2020

Ok, I can make the nag screen cover more of the options. I initially did not think the nag screen would need to cover administrative tabs, but I think it's a good idea.

Ylianst picture Ylianst on 14 Dec 2020
👍1

Ok, 2FA setup nag screen now covers more tabs. This will be in MeshCentral v0.7.25.

Ylianst picture Ylianst on 15 Dec 2020

This fix was published a while back. Feedback and/or close appreciated :)

Ylianst picture Ylianst on 17 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vish84 picture vish84  路  3Comments
PathfinderNetworks picture PathfinderNetworks  路  3Comments
penguinthingie picture penguinthingie  路  4Comments
haxmachine picture haxmachine  路  3Comments
MailYouLater picture MailYouLater  路  3Comments