Technically enforce WhatDoTheyKnow policy of requiring administrators to turn two-factor authentication on

[RichardTaylor]

Idea arising while recruiting/inducting a new administrator.

#2697 Increase security of superuser accounts

[garethrees]

Quick win here would be to check on sign in, and if not enabled, redirect them to their user profile page with a flash warning that 2FA must be enabled.

They'd then be able to continue as normal, but they'd be warned every time they sign in, which would get annoying fast and be difficult to justify to the wider team.

We'd want this check configurable as ADMIN_REQUIRE_TWO_FACTOR_AUTH or similar.

Would take a load more work to limit actions only to enabling 2FA before they could do other things. I don't think we need that level of technical enforcement at this point.

[WilliamWDTK]

Another sort of technical enforcement would be to disable password resets for admin users without an OTP. That would have a similar effect to just automatically enabling an OTP and the user not noting it, so that could perhaps be done.

[garethrees]

disable password resets for admin users without an OTP

Hmm, if an admin mistakenly pasted their password into a public forum – a public document, slack, twitter, whatever – I'd want them to be able to reset their password ASAP without barriers.