[6.1] Allow to force or never force MFA for superusers

[zero-24]

Summary of Changes

Allow to force or never force MFA for superusers too.

Testing Instructions

Go to Users -> Manage -> Options -> Multi-factor Authentication Check the options "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"

Actual result BEFORE applying this Pull Request

Its not possible to force or never force MFA for superusers

Expected result AFTER applying this Pull Request

It is possible to force or never force MFA for superusers

Link to documentations

Please select:

• [ ] Documentation link for docs.joomla.org:

• [x] No documentation changes for docs.joomla.org needed

• [ ] Pull Request link for manual.joomla.org:

• [X] No documentation changes for manual.joomla.org needed

[richard67]

Hmm, not sure if it is a new feature which would have to go into 6.1-dev.

[zero-24]

Done @richard67

[ceford]

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.}

[zero-24]

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

Good question i have not changed the code so the same will happen when you select both Administrator.

If anything you will not lock you self as that only makes sure that its forced that you have to setup 2FA or not. But in the end it will always be a binary decision.

This is the code so when i understand this correctly than forceing 2FA will win: https://github.com/joomla/joomla-cms/blob/d4be2a63169a4def5073b6d7f829f5e4943effc8/libraries/src/Application/MultiFactorAuthenticationHandler.php#L100-L114