two-factor
two-factor copied to clipboard
WordPress
Feature request - enable 2FA for all
Hi,
It would be great to have the admin option to mass-enable 2FA for all user accounts (that don't have it activated yet), enabling the email based option and setting it as the primary. (unless the user had already enabled 2FA and set an option)
thanks
This is a great suggestion @corelanc0d3r. This will probably get resolved with adding the plugins settings #249 and enforcing the two-factor authentication would be one of the main features of those settings.
We could also add filters to enable this without waiting for a settings page.
Unfortunately I don't have an ETA because there are very few active contributors to this plugin and we never know when somebody can pick this up.
@corelanc0d3r There's also some prior art from wpcom vip's usage here:
https://github.com/Automattic/vip-go-mu-plugins/blob/master/two-factor.php#L153
There is now the two_factor_enabled_providers_for_user filter that can be used to enabled two-factor providers for all users:
https://github.com/WordPress/two-factor/blob/873f782975c1d1070c4bcdec86d0e9a9a445e92b/class-two-factor-core.php#L325
Here is an example of how to enable the email second-factor for all users that don't have any other enabled:
<?php
add_filter(
'two_factor_enabled_providers_for_user',
function( $providers ) {
if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) {
$providers[] = 'Two_Factor_Email';
}
return $providers;
}
);
Leaving this open until we either introduce the plugin settings or document this filter.
Sorry if I missed this, but where in the settings page is the ability to set 2FA providers in bulk? Or is it documented? I couldn't find either.
@ecotechie Unfortunately, it can only be done via code for now as described in my comment above (from May 6th).
Oh, right, but this ticket is closed. Thought it would be left open, I guess you meant literally. You would close the ticket once there was a plugin settings, not necessarily this option added to the settings. Great plugin still!
There is now the
two_factor_enabled_providers_for_userfilter that can be used to enabled two-factor providers for all users:https://github.com/WordPress/two-factor/blob/873f782975c1d1070c4bcdec86d0e9a9a445e92b/class-two-factor-core.php#L325
Here is an example of how to enable the email second-factor for all users that don't have any other enabled:
<?php add_filter( 'two_factor_enabled_providers_for_user', function( $providers ) { if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) { $providers[] = 'Two_Factor_Email'; } return $providers; } );Leaving this open until we either introduce the plugin settings or document this filter.
Hello! Could you please recommend how to launch this filter (& where to put - functions.php?) and how to automatically enable Email 2-Factor for all existing & new users of particular groups?
- I tried to find in the source where this filter is added and what function handle it, I could not find it. Where is the filter defined?
- In example it seems to me you don't give any user->ID, is default all users.
- How would the code look if I want to enforce only for Admin users, that has not set it up, (rather than all users)?
There is now the
two_factor_enabled_providers_for_userfilter that can be used to enabled two-factor providers for all users:https://github.com/WordPress/two-factor/blob/873f782975c1d1070c4bcdec86d0e9a9a445e92b/class-two-factor-core.php#L325
Here is an example of how to enable the email second-factor for all users that don't have any other enabled:
<?php add_filter( 'two_factor_enabled_providers_for_user', function( $providers ) { if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) { $providers[] = 'Two_Factor_Email'; } return $providers; } );Leaving this open until we either introduce the plugin settings or document this filter.
@nathanrona here’s a variation that forces email 2FA on administrators and editors.
add_filter('two_factor_enabled_providers_for_user', function($providers, $user_id){
$force_roles = [
'administrator',
'editor'
];
$user = get_user_by('id', $user_id);
if ( empty(array_intersect( $force_roles, $user->roles ) ) ) {
return $providers;
}
if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) {
$providers[] = 'Two_Factor_Email';
}
return $providers;
},10,2);
What if we want to use
add_filter(
'two_factor_enabled_providers_for_user',
function( $providers ) {
if ( empty( $providers ) && class_exists( 'Two_Factor_Email' ) ) {
$providers[] = 'Two_Factor_Email';
}
return $providers;
}
);
for email authentication but also allow user to change to Google authentication app TOTP authentication? Then I suppose this code also works right? Do not see enforcement of it using something like
function memberpress_two_factor_enabled_providers_for_user($enabled_providers, $user_ID) {
if (!in_array('Two_Factor_Email', $enabled_providers)) {
$enabled_providers[] = 'Two_Factor_Email';
}
return $enabled_providers;
}
add_filter('two_factor_enabled_providers_for_user', 'memberpress_two_factor_enabled_providers_for_user', 1, 2);
I'm gonna close this because it looks like a duplicate of #255 / #239, but let me know if there's anything distinct that I missed.
Hi. Any updates on this? I just installed the plugin and I don't see a way to enable this as a default option for all users. Didn't want to assume and hence asking if it is done?
Cheers.
Hi. Any updates on this? I just installed the plugin and I don't see a way to enable this as a default option for all users. Didn't want to assume and hence asking if it is done?
Cheers.
There is no such feature yet in the production I think. I have been adding this plugin and then enabling manually for each admin user.
This is a great plugin, and adding 2FA requirements by default for selected user roles is IMO the most important feature to add from a security perspective. However, I'd like to suggest this default requirement should include (well, prompt and strongly encourage) activation for ALL users on sites that have an open, public user account self-registration process enabled. Unfortunately, this can still be defeated by bots, as they already handle this plugin's 2FA challenges without slowing down.
