Allow each admin user to choose which 2fa providers to setup

[willjones9]

Preconditions

• Magento 2.4.0
• PHP 7.3 and 7.4

Steps to reproduce

Enable (and configure) the following 2FA providers:

• Duo
• Google
• U2F.

Expected result

A user can choose between one of the three 2FA methods.

Actual result

Magento expects all three 2FA providers to be configured for every user account and it is not possible to pick and choose which provider is used on a per user basis.

• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.

Configuring multiple 2FA providers causes the system to see them all as forced providers, meaning that they have to be configured for each and every user in the system as opposed to allowing a user to choose between one of the enabled providers.

This is a problem, considering that merchants may wish to configure the second factor authentication method on a user or role basis. For example, store administrators may wish to use Duo, whereas employees dealing with order fulfillment (who perhaps don't need to access the admin area out of hours and not have mobile phones on them during their day) may need to use a U2F such as Yubikey or similar.

The current implementation does not allow for this use case, which seems like it should be a very obvious option that should be included.

[ihor-sviziev]

2FA module was moved to https://github.com/magento/security-package/.
@sdzhepa @naydav could you move this issue into this repo?

[sdzhepa]

Thank you @ihor-sviziev
cc: @willjones-stratagem
Transferred to security-package repo

[m2-assistant]

Hi @willjones-stratagem. Thank you for your report.
To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[nathanjosiah]

@willjones-stratagem Thank you for the report! This is by design. Once a user has configured all enabled providers they are able to choose which one they want to authenticate with.

[nathanjosiah]

To expand on my explanation, your users can configure the one they have access to at the time, then later when they have access to another they can configure the second one. You can skip configuration of a provider as long as you have at least one already configured. Once they have both configured they can simply choose which one they want to use at a given time.

[tschirmer]

This is still broken in 2.4.5-p1. And doesn't look intentional. If it is by design, the designers need try using it.

The workflow is like this:

• Install Magento 2.4.5-p1 on php 8.1

• As a admin login you're presented with this:
  

• This then sets the following in the backend:
  

• Once this is set, the users are forced to use the Google Authenticator, and cannot choose the Yubikey:
  

• If you select "Use default values" on the provider config, and remove the selection:
  

• The users correctly show the options for the providers to login with:
  

• HOWEVER. This then forces the admin login to be presented with the following on login:
  

• Which then sets the config value, and forces the users to use the provider.

It appears to me that 2 configuration values are intended, a "Use config providers" and a "Force config providers", but only one is present (or unintentionally being set to "force" instead of "use").

[nathanjosiah]

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

[alucardatem]

What about adding multiple yubikeys as backup keys ? as you know when getting a hardware based token, you would always need a backup key which you should register with the service that provides that @nathanjosiah

correct me if i am wrong however but there is the possibility to do so as in the encrypted stored json data

"u2fkey": { "registration": { "public_keys": [ { "key": "<PUBLIC KEY DATA>", "id": "<ID ???>", "aaguid": "<ANOTHER STRANGE VALUE>" }] }, "active": true }

Doesn't the above mean that we should be able to add in X yubikeys ? as an example ?
and what about recovery codes to be used ?

looking into all of the services that provide 2FA -> configuration should be doable from Admin panel as well on user level to add in 2FA / change the 2FA / add in new security keys as extra methods and have a list of generated backup codes

that is basic in regards to 2FA.

[nathanjosiah]

@alucardatem yes, that is correct. The implementation was built with this forward-compatibility should it ever be implemented since it was a relatively common use case within u2f keys. However, u2f keys are not very common so there isn't a lot of push for this (or really any new 2fa features) and subsequently our product teams do not have anything on the roadmap at the moment for this feature. That said, something that may be of interest to you is that we do have something on the roadmap that would minimize the number of times you need to complete a 2fa challenge while using the same device. A sort of "remember me" feature.

[alucardatem]

@nathanjosiah - while the "remember me" feature is something nice to have, i think that users should have the possibility of changing the secret on the google auth ( re-implementing it or turning it off ) or having the option to use backup codes. but adding hardware tokens has become an essential security practice these days inside a lot of businesses and something like that inspires more trust to a merchant and a day to day operations user of the admin panel for a member of staff of client X from company Y, and would also take the load off a single administrator to issue "resets" every time someone "forgets" or loses the phone etc.

And to be honest, in this case at lease as i am seeing it combining the "remember me" for 2fa / login etc what it will be called ( similar to what last pass uses i would assume ) would be a really exciting feature and capability of magento which will put it ahead of competitors?

[diwipl]

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

We have multiple cases in our customer base where some admins would like to use only google auth, others would like to use only hardware keys, and some would like to have both.

Currently, such a flow has really bad UX because in case an account has only one provider configured, the admin is forced to receive the email to configure the second one, and only after clicking the link in the email admin is able to click "Skip until next login" to use already configured provider.

Could you explain why skipping is not possible directly after the login screen (having of course at least one provider configured) without a need to receive an email and clicking on the link there?

[alucardatem]

Why is this closed ? and how can we set this to skip from the start and not go through X emails and bad workflows over this ?
as @diwipl mentioned we have also in our company users that have hardware keys and do not want a google 2FA / Authenticator app and people who want both and several individuals that use authy

now you can imagine that currently we have Google authenticator / authy / uf2 keys ==> that means that the person who uses the u2f key has to do skip on 2 emails before logging in.

[diwipl]

@alucardatem just for your information, since we cannot wait for Magento's official fix, we created a module that solves that issue: https://packagist.org/packages/creativestyle/magesuite-tfa-do-not-force-all-providers

[alucardatem]

@diwipl - done something similar ( internally ) :D without the skip.. it is just the show all providers in order to login directly via that one

however do like the skip second activation. thank you

[fredden]

@nathanjosiah please can you re-open this so that it can be resolved properly.

[nathanjosiah]

I'm going to look into this again. One of my teams may have availability to work on this.