fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Feature: Allow users to enable 2FA during login

Open robotdan opened this issue 7 years ago • 7 comments

Enable 2FA during login

Problem

Using the FusionAuth provided login workflow, there is no way for a user to enable 2FA for their own account.

Currently this is only supported via APIs, or a FusionAuth admin may enable 2FA for their own account in the edit profile panel.

Solution

Perhaps on the login workflow you could check a box indicating you'd like to enable 2FA, and then once the password has been validated, before completing the login and redirecting back to the OAuth caller, we could prompt the user with a QR code to let them setup a 2FA app, or ask for their mobile phone if we don't have it already so we can use an SMS integration to push a 2FA code to their mobile for them to verify and enable 2FA.

Alternatives/workarounds

Currently a FusionAuth user could implement this themselves using the FusionAuth API, or a FusionAuth admin may enable 2FA for their own account.

Additional context

Add any other context or screenshots about the feature request here.

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/960

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan avatar Dec 06 '18 03:12 robotdan

This would be a great feature! - Ideally MFA should be enabled oob by default

whiskerch avatar Mar 20 '19 14:03 whiskerch

Thanks @whiskerch for the feedback. We'll likely add a policy of some sort to allow 2FA to be configured as required.

robotdan avatar Mar 20 '19 15:03 robotdan

Not sure if we should keep this one open or not. We now have self service two-factor enablement. Once we work through the policy options for two-factor we can revisit. It may always make sense to allow a user to login , and then just push them to our existing configuration instead of adding another workflow during login.

robotdan avatar Apr 22 '21 18:04 robotdan

Just wanted to see if there is any update on this issue. We are evaluating Fusion as a replacement for our current auth solution and would like to use the hosted login page to manage mfa.

haghabozorgi avatar Jun 24 '21 17:06 haghabozorgi

@haghabozorgi - are you wanting to "allow" the user to enable MFA? Or do you want to "force" the user to enable MFA?

voidmain avatar Jun 24 '21 17:06 voidmain

@voidmain thanks for your quick reply. Ideally force but allow would be acceptable. Right now it seems the user cannot enable mfa with the hosted login page.

haghabozorgi avatar Jun 24 '21 17:06 haghabozorgi

The user can't enable MFA on the login page, but they can use the hosted account management pages to set it up and manage all of their MFA factors. One idea would be to handle this at your redirect_uri. You would complete the OAuth token exchange and then query FusionAuth to see if the user has MFA setup. If they don't have it setup, you could pop up a model in your app that asks them if they want to set it up.

voidmain avatar Jun 24 '21 18:06 voidmain

Planning to deliver via https://github.com/FusionAuth/fusionauth-issues/issues/197.

robotdan avatar Nov 21 '22 22:11 robotdan