Enforcing 2FA

[cvaldivia19]

Hi! I'm helping review the security audit recommendations and one is to review opportunities to enforce 2FA at the service level. Is this an option with how authentication is currently set up? Thoughts on added benefits?

[colinxfleming]

hey @cvaldivia19 , thanks for surfacing this! It's about time we revisited this question probably.

The answer to your question: sort of. There are plugins that work well with our authentication library (devise) which would do this, but we haven't for a few reasons:

• if we set it up we have to maintain it, and I don't want to maintain a two factor auth system that could go out of date
• my hope is that we'd be covered by two factor authentication from people's google accounts, but I don't know if there's a way to require your google account have two factor set up
• not to put too fine a point on it but I have concerns about helping some of our less tech-comfortable users set up 2-factor, and helping them troubleshoot if we did require this.

Our approach thus far has been asking funds to encourage CMs to use google accounts and two factor on those, but I defer to you on whether that will continue to be a tenable solution.

[colinxfleming]

Tagging future features since this is something we'll want to revisit, but isn't germane to any work being done currently