BookStack icon indicating copy to clipboard operation
BookStack copied to clipboard
verified publisher icon BookStackApp

Global disable 2FA

Open nixklai opened this issue 2 years ago • 4 comments

Describe the feature you'd like

I think we should consider a "global kill switch" to disable 2FA.

This option should be limited to SSO-enabled BookStack instance.

Describe the benefits this would bring to existing BookStack users

This feature is intended to make life easier for BookStack admins.

For a SSO-enabled BookStack instance, admins may already enable MFA requirements at SSO instead of BookStack, However, currently BookStack allows users to enable both with no way to globally turning BookStack 2FA off, which cause nuisance to admin and confusions to users.

Case 1: An existing user may have enabled BookStack 2FA, and then enrolled into SSO MFA. Case 2: A new user enabled SSO MFA can also enable BookStack 2FA.

In both cases, users can encounter 2 MFA challenges. Also, having 2 pathways to "enable 2FA/MFA" may cause user to enable the wrong MFA mechanism.

Can the goal of this request already be achieved via other means?

No. The BookStack 2FA mechanism cannot be disabled by admins.

Have you searched for an existing open/closed issue?

  • [X] I have searched for existing issues and none cover my fundemental request

How long have you been using BookStack?

0 to 6 months

Additional context

No response

nixklai avatar Jun 30 '23 20:06 nixklai

Thanks for the request @nixklai. Possible something we look to do when we add the next MFA option (Maybe #3912). At that point, we'd probably want to provide control of MFA options to users, so could disable MFA setup if admin has configured no MFA options to be available.

Easiest/safest route to take would probably be to prevent new MFA registration/setup via this, rather than toggle entire MFA availability on/off. Avoids core conditional auth logic and some flexibility of enabling MFA for core/important accounts before making unavailable, with the impact being some potential pain to existing MFA environments where full disabling is required but there are other options for dealing with that one-time case (DB lookup & de-activation via CLI ).

ssddanbrown avatar Jul 03 '23 09:07 ssddanbrown

I'm facing this issue also. As a Admin I'm setting up SSO for my users on a Synology NAS using the buildin app Synology SSO Server to serve the SSO to my users. I've succesfully manage to setup SAML for my exsisting Bookstack users, the only problem I'm facing now is the double 2FA/MFA for the users. In the standard method the 2FA/MFA was already enabled for the users, and now with the SSO migration every users need to authenticate 2 time the MFA. As this is a old post I was wondering if there is already a solution for this? `

BobWs avatar May 09 '24 12:05 BobWs

@BobWs There's a command to reset user MFA: https://www.bookstackapp.com/docs/admin/commands/#reset-user-mfa-methods

You could export the user list (API, Database, Scrape UI) to then batch that for each user.

ssddanbrown avatar May 09 '24 15:05 ssddanbrown

I second this request. An ENV variable to deactiveate 2FA would really be handy. There is some confusion in an SSO scenario to have an additional 2FA pop up.

col-panic avatar Jun 19 '24 10:06 col-panic

I third this request. Our end users get confused when we already have SSO enabled with Azure and then they click on their account to setup 2FA because we do a good job of telling everyone that 2FA should be used in business and in their personal lives. Therefore, they will turn on the 2FA in Bookstack which is separate from our SSO 2FA and they are thinking they are supposed to enter our SSO 2FA secret into bookstack's 2FA and it doesn't work. I then must login to the server and run the command on their account to turn off the bookstack 2FA and then remind them to not select/turn back on the 2FA in their profile.

uhattech avatar Oct 23 '24 19:10 uhattech