2FA enforcement issue on Cloudron 9.0.13
-
Hi,
I have been facing issues with 2FA and 2FA enforcement since migrating to 9.0.x (not sure if this came with 9.0 or the later minor updates).
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
At the moment, to reset 2FA for a user, you need to edit the user profile and click on the "Reset 2FA" button.
The Reset 2FA button then disappear, but you remain on the user profile, with for only further action the "Cancel" button (the "Save" button remain greyed out / inactive).
I found that this leaves doubt as to whether the "reset 2FA" action has been taken into account / has worked.
(Only testing reveals that is has)
An option would be to make the save button active once the "Reset 2FA" button has been pressed.
An alternative would be to display a validation message confirming that the 2FA has been reset for the user- (major issue) 2FA enforcement does not work.
Consider this: my server has the User > Settings > "Require users to set up 2FA" turned on (it was already on prior to V9 upgrade).
Problem: at the moment, there is no enforcement of 2FA registration for the end user, either for a brand new created user or when resetting 2FA for an existing user.
Upon the related user login, there no prompt to the user to register for 2FA. The only way to do so, is voluntarily: by going into the user profile and clicking "enable 2FA". So anything but a enforcement/requirement.
Turning the server setting off/on has no incidence on the situation - I have also tested this connecting from multiple device/browser with no differences in the result.
I see no relevant log entries and the server appears to be healthy.This is of course an important issue, and create a security hole.
The question is whether I am the only one experiencing this on our servers or if some other fellow cloudronians are too?I am also unsure where to look further to trouble shoot this, so any help is appreciated.
Thanks,
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
-
Hi,
I have been facing issues with 2FA and 2FA enforcement since migrating to 9.0.x (not sure if this came with 9.0 or the later minor updates).
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
At the moment, to reset 2FA for a user, you need to edit the user profile and click on the "Reset 2FA" button.
The Reset 2FA button then disappear, but you remain on the user profile, with for only further action the "Cancel" button (the "Save" button remain greyed out / inactive).
I found that this leaves doubt as to whether the "reset 2FA" action has been taken into account / has worked.
(Only testing reveals that is has)
An option would be to make the save button active once the "Reset 2FA" button has been pressed.
An alternative would be to display a validation message confirming that the 2FA has been reset for the user- (major issue) 2FA enforcement does not work.
Consider this: my server has the User > Settings > "Require users to set up 2FA" turned on (it was already on prior to V9 upgrade).
Problem: at the moment, there is no enforcement of 2FA registration for the end user, either for a brand new created user or when resetting 2FA for an existing user.
Upon the related user login, there no prompt to the user to register for 2FA. The only way to do so, is voluntarily: by going into the user profile and clicking "enable 2FA". So anything but a enforcement/requirement.
Turning the server setting off/on has no incidence on the situation - I have also tested this connecting from multiple device/browser with no differences in the result.
I see no relevant log entries and the server appears to be healthy.This is of course an important issue, and create a security hole.
The question is whether I am the only one experiencing this on our servers or if some other fellow cloudronians are too?I am also unsure where to look further to trouble shoot this, so any help is appreciated.
Thanks,
@Teiluj said in 2FA enforcement issue on Cloudron 9.0.13:
(minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
That makes sense. I have made disabling 2FA a separate action now, and it's not part of the user edit dialog. https://git.cloudron.io/platform/box/-/commit/6432851a783c0016fdd34e9f700b5aacf9971170
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
-
Hi,
I have been facing issues with 2FA and 2FA enforcement since migrating to 9.0.x (not sure if this came with 9.0 or the later minor updates).
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
At the moment, to reset 2FA for a user, you need to edit the user profile and click on the "Reset 2FA" button.
The Reset 2FA button then disappear, but you remain on the user profile, with for only further action the "Cancel" button (the "Save" button remain greyed out / inactive).
I found that this leaves doubt as to whether the "reset 2FA" action has been taken into account / has worked.
(Only testing reveals that is has)
An option would be to make the save button active once the "Reset 2FA" button has been pressed.
An alternative would be to display a validation message confirming that the 2FA has been reset for the user- (major issue) 2FA enforcement does not work.
Consider this: my server has the User > Settings > "Require users to set up 2FA" turned on (it was already on prior to V9 upgrade).
Problem: at the moment, there is no enforcement of 2FA registration for the end user, either for a brand new created user or when resetting 2FA for an existing user.
Upon the related user login, there no prompt to the user to register for 2FA. The only way to do so, is voluntarily: by going into the user profile and clicking "enable 2FA". So anything but a enforcement/requirement.
Turning the server setting off/on has no incidence on the situation - I have also tested this connecting from multiple device/browser with no differences in the result.
I see no relevant log entries and the server appears to be healthy.This is of course an important issue, and create a security hole.
The question is whether I am the only one experiencing this on our servers or if some other fellow cloudronians are too?I am also unsure where to look further to trouble shoot this, so any help is appreciated.
Thanks,
@Teiluj said in 2FA enforcement issue on Cloudron 9.0.13:
(major issue) 2FA enforcement does not work.
Fixed in https://git.cloudron.io/platform/box/-/commit/76f2c5f9fc7ea673ddbe02e5aed9e691c85cd5c6
Thanks for reporting!
- (minor issue - arguably more of a discussion topic) Resetting 2FA for a user.
-
G girish has marked this topic as solved