-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow users to choose one method instead of all when 2FA is enforced #31
Comments
Thank you for opening this issue! I am closing this along with others due to 2fa currently undergoing a very large internal rewrite/refactor this change will not be needed in the new version. |
@nathanjosiah Please can you provide a link to the work that you've suggested was underway last year? We have exactly the problem described in this issue. What's the timeline for the work you've mentioned? Would you be willing to accept a pull request that solves this problem in the meantime? |
Hello @fredden The work can be seen in #230. The security package 1.0.0 version that released alongside magento 2.4.0 came with a huge refactor/rewrite of 2fa. The merchant is able to configure which 2fa methods are enabled and the admins have to configure each of them. However, once they are configured the user may choose which one they want to use. We do allow the user to bypass configuration of methods as long as there is at least one method configured. But this is mainly to support workflows where a merchant may require multiple methods but the user is temporarily only able to configure one of them (for example if they do not yet have the company issued U2F physical key). |
Thanks for the update / context. We're having the described problem / behaviour with a merchant on Magento v2.3.6-p1. I'll let them know that the experience is different with v2.4.0+. We're likely to need something in the short term while the 2.4 upgrade is in progress; I'll have a look at the linked pull request for inspiration on what can/shouldn't be changed locally. |
MC-32830: Do not store admin and customer tokens in DB
Preconditions
Steps to reproduce
Expected result
Actual result
For a customer want to enforce usage of 2FA but let the users decide which method to use (in our case either Google or U2F Key). Since the module does not currently support this scenario we must manually make sure that each user has at least one 2FA method configured.
The text was updated successfully, but these errors were encountered: