semaphoreui
Problem: Require 2FA for every user
Issue
(This is filed under a "problem" instead of a "feature request", as this is a security issue at our company)
Currently, 2FA can be simply "enabled", being completely opt-in, even for existing users, without a "you need to enable 2FA now" screen popping up if they have a session that does not already have 2FA enabled.
You can also still login without needing to have 2FA enabled, there is no way to (quickly) audit which users do or don't have 2FA enabled[^1].
For our security guarantees, we require core access to our systems to be behind 2FA, and since semaphore is going to touch our core systems (for maintenance, automation, and/or deployment), we need 2FA to be required for every user that logs into it.
[^1]: Except to go to each user, click edit (the pencil), click security, and see if their 2FA toggle is on. But doing this for a hundred users isn't going to scale well, and I don't know any CLI command to pull this data either.
Impact
Web-Frontend (what users interact with)
Installation method
Package
Database
No response
Browser
No response
Semaphore Version
2.16.31-d14fa6b-1758101338
Ansible Version
Not relevant, but
ansible [core 2.19.3]
config file = /etc/ansible/ansible.cfg
configured module search path = ['[REDACTED]', '/usr/share/ansible/plugins/modules']
ansible python module location = [REDACTED]/venv/lib/python3.11/site-packages/ansible
ansible collection location = [REDACTED]:/usr/share/ansible/collections
executable location = [REDACTED]/venv/bin/ansible
python version = 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] ([REDACTED]/venv/bin/python3)
jinja version = 3.1.6
pyyaml version = 6.0.3 (with libyaml v0.2.5)
Logs & errors
not relevant
Manual installation - system information
not relevant
Configuration
Utilizing an LDAP setup with the following extra relevant bits:
{
"auth": {
"totp": {
"enabled": true,
"allow_recovery": true
}
}
}
Additional information
No response
