Umbraco.Cloud.Issues icon indicating copy to clipboard operation
Umbraco.Cloud.Issues copied to clipboard

Published 20 hours ago verified publisher icon umbraco

Feature request, two factor authentication to be implemented on Umbraco back office

Open seanhudson39 opened this issue 2 years ago • 11 comments

Issue description

We have recently had a request to implement 2FA for our back-office users. After approaching Umbraco Support it became clear that this was not readily available but that we could develop a custom approach, which is what we will do. Support also suggested that I raise it as a feature request, so this is what this is for.

seanhudson39 avatar Dec 01 '22 13:12 seanhudson39

Hi @seanhudson39

I'm sorry but I'm not sure if I follow. Were you told that we don't have 2FA available on Umbraco Cloud?

That would be incorrect, as the feature has been out for a few months now.

Documentation link - https://our.umbraco.com/Documentation/Umbraco-Cloud/Set-Up/2-factor-authentication-on-cloud/

RyuLindow avatar Dec 01 '22 13:12 RyuLindow

Hi Darek

I understand it is available for those users logging in via the Umbraco Cloud project screen, but for those that only have access to the back office that feature isn't available.

seanhudson39 avatar Dec 01 '22 13:12 seanhudson39

No, that is not correct. Sorry to year you were told differently. 2FA works for access to both the Umbraco Cloud portal and the Umbraco Backoffice regardless of users being invited through the Portal or Backoffice. The only limitation would be whether Umbraco Id is enabled on the project or not. This is typically the case for Umbraco versions 8 to 11 and Umbraco Heartcore. Umbraco 7 projects don't have it by default, but it can be installed through a Nuget package.

sitereactor avatar Dec 01 '22 13:12 sitereactor

Ok, it was via a cloud support call that I got this information, but maybe I misworded my question, either way, as long as we can do it that is great. Can you guide me how I go about setting this up? Is it on a user-by-user basis, or I can we set it up globally?

seanhudson39 avatar Dec 01 '22 14:12 seanhudson39

Yes we have documentation here: https://our.umbraco.com/documentation/Umbraco-Cloud/Set-Up/2-factor-authentication-on-cloud/ (basically, you just need to click "Edit Profile" from either the Cloud Portal or from within the Umbraco Backoffice - the part that shows the logout option)

Right now its set up on a per user basis, but we will be adding a way to enforce it for an organization, so all users will be required to enroll into 2FA. I don't have a concrete timeframe for when it will happen though, but hopefully beginning of 2023.

sitereactor avatar Dec 01 '22 14:12 sitereactor

I have seen that documentation, right at the top it says, "You can use email, phone, or an authenticator app when logging in to the Umbraco Cloud Portal." Our back office users don't log in to the portal, they go direct the back office, i.e. http://[websiteurl]/umbraco. I can't see any similar functionality when in the back office to set this up.

seanhudson39 avatar Dec 01 '22 15:12 seanhudson39

That sentence should be updated from "You can use email, phone, or an authenticator app when logging in to the Umbraco Cloud Portal."

to

"You can use email, phone, or an authenticator app when logging in to the Umbraco Cloud Portal and the Umbraco Backoffice."

I will make sure its updated. The login is centralized so regardless of it being the Portal or Backoffice you will login through identity.umbraco.com, which is where the 2FA would prompt you for the 2FA code.

Once I'm at a computer I can try to record a short screen grab of the flow for the Backoffice.

sitereactor avatar Dec 01 '22 16:12 sitereactor

A short screen grab would help, as it is not obvious to me how we can do it. Our staff that will be adding content will not be logging in through identity.umbraco.com, they would be going to it by just adding /umbraco to the end of root URL.

seanhudson39 avatar Dec 01 '22 16:12 seanhudson39

Yes, and going to /umbraco will redirect you to a centralized login on identity.umbraco.com. This is what we refer to as Umbraco Id and what enables 2FA. But I think a short video will better explain :)

sitereactor avatar Dec 01 '22 16:12 sitereactor

@sitereactor - Actually I'd been looking at 2FA for Umbraco7 backoffice, and whether or not to implement UmbracoID for all my legacy v7 sites (as they are likely to stay legacy for some time) using that package mentioned, and documentation was the first issue I struck there too. I guess it's understandable given that it's implemented by default on Umbraco-Cloud-8+ sites, but I'm always leery of experimenting with a live Cloud site when I don't have a reasonable understanding of the possible impacts, so have been avoiding the issue as a result.

c9mb avatar Dec 01 '22 21:12 c9mb

Thanks Morten, have you managed to create that short video? Thanks, Sean

seanhudson39 avatar Dec 05 '22 15:12 seanhudson39

Hey @seanhudson39 :)

This is a pretty old thread, as we are going through the issue tracker at the moment to address any potential bugs. I will be closing this down in the name of cleanup.

If some of this is still a relevant feature request for you, feel free to post in the discussions sections under ideas.

Regards

kenniholm avatar Jul 22 '24 12:07 kenniholm