Under admin_user.php.
Force MFA is checked. However users are still able to login without MFA being applied.
Can this field be converted to a global field? I want all users to be forced to use MFA rather then a user by user basis.
Forced MFA Not Forcing
Aware this is an issue. In my opinion, the user experience for when a user sets up MFA needs work as we enable it before checking they can actually generate valid codes.
It wouldn't be great to force enable it without also forcing users to input a TOTP to confirm it's setup properly on their device. Otherwise you'll just end up with techs that are now enabled for MFA but haven't even scanned the QR code.
We'll get there.
5 days later
Looking at this again, I was incorrect. Checking "Force MFA" enables MFA on login and redirects users to /user_security.php where they can scan the QR code. So it sounds like your techs are not bothering to scan the QR code and then just hitting Disable 2FA instead?
I still don't particularly like the flow (as you can end up with people locked out) but we'll remove the ability to disable MFA when it's forced: https://tasks.dev.itflow.org/task_details.php?task_id=51
great news. thank you.
The process will eventually be as follows: Click the "Enable MFA" button. A modal window will appear with a QR code, accompanied by instructions to either scan the QR code with your camera or copy and paste the code into your password management app (featuring a convenient "Copy to Clipboard" icon).
Below the QR code, there will be a text box to input and verify the code. Once the code is successfully verified, MFA will be enabled, and you will be logged out, requiring you to log back in.
Good call @wrongecho I enhanced the MFA process further. As suggested I used a session var to store the token and another session var to keep the modal open if verification fails. Also Set Min Max length limit to 6.
16 days later
This is already complete marking complete