[Docker Hub]: Allow organizations to require two factor auth for all members

[mlissner]

Tell us about your request Docker Hub should allow organization to require 2FA for all of its members.

Which service(s) is this request for? Docker Hub

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? When I add people to my organization on Docker Hub, I don't have a way of forcing them to enable 2FA, nor of checking that they have it set up. This means that sooner or later one of our members of our org won't have 2FA set up, leading to a potential issue.

Are you currently working around the issue? Yes. Every time I add a member, I cajole them to set up 2FA. They say they do so?

Additional context Github has a feature that allows an organization to require 2FA on all member accounts:

https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/requiring-two-factor-authentication-in-your-organization

It'd be great if Docker Hub had something similar.

[pkennedyr]

@mlissner +1, thanks for submitting this feature request - moving to investigation for the team to scope!

[aripalo]

So this is not yet implemented? Or is it hidden somewhere I just can't find it?

Even though it has been talked about in 2019 already…? If it's not implemented, it's quite baffling that Docker expects organizations to pay for the service, but don't even provide this basic security feature? ☹️

[makevoid]

it would be great at least to show if the users have 2FA enabled or not, this way we would be able to enforce the 2FA requirement manually...

[MrAbaddon]

Being able to see if all users have 2FA enable is a must have in order to increase the security in the organization docker registry.

[bbergstrom]

+1

[Rucknar]

+1 This would be useful, it's currently a weakness for organisations supporting these systems.

[Jimcumming]

+1 This seems like pretty basic functionality to me. If Docker are serious about security this feature should be available to all.

[manojnc]

It's surprising that even after several years since this issue was raised, it's still an open item.

[fredrikeriksson]

+1 and at the very minimum the ability for owners or administrators to get a report of members which don't have 2fa enabled.

[javabudd]

this is becoming more and more necessary...

[technicallyjosh]

Hey all, I'm happy to bring to the team.

Just curious: Would you expect this to be allowed if you had SSO enabled? Generally, I would expect the idP to have its own policy on 2FA.

[fredrikeriksson]

Hey all, I'm happy to bring to the team.

Just curious: Would you expect this to be allowed if you had SSO enabled? Generally, I would expect the idP to have its own policy on 2FA.

I reckon this would apply mostly to teams without the business subscription. As you said with SSO enforced this would be covered by the IdP, if someone deemed MFA as a requirement.

Orgs that have a business sub and SSO with no MFA capability should probably benefit more in the long run if they were "forced" to implement this on their own in their IdP.

[technicallyjosh]

Just an update here. We are wrapping up some vision work around how users are managed by orgs. This will definitely make it into our roadmap. Not sure when, but it plays nicely with how we are going to be approaching the user/org relationships.

[pablin-10]

It would be ideal to:

• allow to enforce SSO login, aka "password login disabled" (and enabling each of those, github and google)
• allow to require 2FA mandatory

With these 2 you can decide either rely on your SSO provider 2FA options, or on dockerhub 2FA options alternatively.