Users can undermine, only suitable for admin

  • kloproterra

    (@kloproterra)


    1 week ago

    This plugin requires individual users to manage 2FA. Individual users can remove 2FA from their profile at any time leaving that account vulnerable. An admin would need to check regularly that this hasn’t been removed.

    There is discussion about a custom function to force a user back to the profile page. I tested this. A user can still leave the account with 2FA off, albeit they cannot navigation anywhere but the profile page. However, in this state a bad actor can login with a password only to the unprotected account, then configure 2FA to their own device, this then removes the redirect and therefore undermines the entire process. This is a significant flaw.

    However, the plugin can protect a single admin account but any sort of user hierarchy is not protected.

Viewing 1 replies (of 1 total)
  • Plugin Contributor Brian Haas

    (@masteradhoc)

    1 week ago

    Hi @kloproterra,

    You’ve identified a genuine, well-known limitation of this plugin. The Two Factor plugin currently works on a voluntary, per-user basis — each user must opt in to configure a second factor themselves. There is no built-in way for a site administrator to require that users in certain roles have 2FA configured before they can access the site. This gap is consistently the most-requested missing feature in the plugin.

    There is an open GitHub issue (#846) tracking role-based enforcement as a planned feature, but it isn’t in the plugin yet.

    Sorry the plugin doesn’t meet your use case in its current state — hopefully the enforcement feature lands in a future release.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this review.