Ability to enforce two-factor authentication #880
Comments
lunny
added
the
type/feature
|
As for per-organization change, I propose that if you login w/o 2FA enabled you're account will be redirected to Obviously the 2FA-page would need an update to list orgs (that require 2FA) to leave if you disable 2FA. |
|
This feature is very important for overall security. Best way to implement it would be to have it a part of Authenticators settings, that way you can for example require 2fa for ldap imported users while having it optional for local users. |
|
Just wondering if this is implemented as i think its pretty nice feature to have within an organization |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
lunny
added
issue/confirmed
|
I am but a simple Gitea user, would like to voice that my organization would also find this a very important feature. Please! |
|
Ok if we're gonna do this we need to think about what happens if a user tries to login without two factor. Is it that they get redirected immediately to the enroll 2fa page similar to the must change password screen? |
|
It would already be enough if we could enforce the setting for each user one by one. |
That would be reasonable. |
@zeripath I think the best way is to redirect to the 2FA Settings page, and show a message "Your administrator has made 2FA mandatory for all users who use $AUTHENTICATION_SOURCE authentication." |
|
Any updates on this? This feature would also be super important for me. Thanks! |
|
#16880 try to fix this but closed. |
|
That's an impossible task at the moment. See #13606 (comment) But if you are using Gitea for private usage, you can take the PR #16880 (build your own Gitea) , it works well for that case. I am keeping sync my 2FA branch with main branch. I closed #16880 to reduce invalid pending PRs and avoid unnecessary CI resource consumption. |
|
Would like the ability to easily specify the algorithm, digit count, and period across the server. |
|
For organizations, I think it would be better to make the member somehow inactive until they enable 2FA. And then users can add 2FA or remove themselves from the organization when they want to. Organizations shouldn't have the power to disrupt a user's login in my opinion. Also for API application access, one organization adding an 2FA requirement should not block access entirely, so you would need a concept of inactive membership in only some organizations anyway. Or just removing the member of course, it's just a bit less convenient. Then the member can not fix the problem themselves but rather has to ask the owner to add them again. |
To me this is a logical and easy way to implement this. We don't have to mess with the current login system, but can simply restrict the user's capabilities until they enable 2FA. |
|
I think it might be good to hide the fact that 2FA isn't enabled for a user from other entities, so that Organizations can't probe accounts to figure out if they have 2FA (at least until they become a member with 2FA?)? Rogue Organizations, I'm thinking. |
|
Any status/progress on this issue? |
|
No, but you could build your own binary by my patch #16880 (there are design details) / https://github.com/wxiaoguang/gitea/tree/enforce-2fa |
Does your patch enforce site wide 2FA, or is it per-organization? Is there a PR to merge this into the main source? |
|
Apparently this feature is now advertised as a Gitea Enterprise edition advantage, so I assume this feature won't happen in the open source edition? |
|
Why would this be an Enterprise-only feature? |
|
Sorry, I didn't include a reference: https://blog.gitea.com/gitea-enterprise/ |
|
It will certainly be added to the project, or at the very least, I hope it will be, as any contribution needs to follow the contribution guidelines and the process outlined in the document. The status of the code in the commercial offering from CommitGo, is that it was developed for a customer, and we are working with them to ensure that the code can and does meet the DCO that Gitea requires of any contribution. I believe the PR linked above can still be applied to a Gitea build, and will meet your needs. From the comments on it, a different approach and changes elsewhere in the system may be the path forward that the project will take, as a proposal for a working group to discuss was suggested. |
|
Good to hear 👌 I may have to increase my monthly donations 😅 |
Currently, two-factor authentication is optional. It would be nice if we had a global (site) or per-organization setting to enforce two-factor authentication.
The text was updated successfully, but these errors were encountered: