Hi,
We would like to enforce 2FA for our users to increase access security. I see that DHIS2 allows users to enable/disable 2FA themselves, which makes it really easy to circumvent the 2FA rule. Is there a reason why DHIS works this way? Is there a way to hide this setting from users so that only system administrators can change it?
Thank you!
Searching Google I didn’t see any answers. But I’m sure this can be done by small customization of the code if needed
Hi @Eric_Boyd_Ramirez ,
I think the reason to make the two-factor authentication (2FA) option available per user is that the flexibility makes it the user’s responsibility to secure their account and make it under their control.
2FA is an important security feature that helps to protect against unauthorized access to accounts.
I am not sure if there is a way from API to disable this feature to be shown at the end users end and keep it exclusive for the system administrator, please review the link below for more details:
I hope this helps! Let me know if you have any further questions.
Best regards,
Thanks @ayman.tuffaha, that makes sense for users who are very security conscious/aware. It certainly does not help much from an organizational security management standpoint, it should not be a decision left to individual users. I just find it very odd is designed this way.
Regards,
It’s also possible to create a feature request @Eric_Boyd_Ramirez ! Would you like to create one: https://dhis2.atlassian.net/
and please share it here so other community members can vote/watch!
Thanks!
Done!
Dear All,
Please note that there is already a feature request for the option of enforcing 2FA: DHIS2-13333
The initial implementation of this feature was to make 2FA work correctly and reliably on an individual basis; that itself is a valid use case.
Kind regards,
Phil
@Eric_Boyd_Ramirez To add to @phil’s response, we hope to have mandatory MFA support ready for the next release which is 2.40 in May. The backend work is ready (PR) and we are working on updates to the user web app and login screen.
best regards,
Lars
Hi All,
Just wanted to mention that DHIS2-13333 does implement the feature to enforce 2FA on any user or group of users, it still does allow people to disable 2FA. What will happen if you disable it, you will go through enrolment/setup again on next login, so that will be a possibility for an attacker to set up 2FA for him/her self, but only if the attacker has been able to hijack a session, or got access to a machine where the victim is still logged in.
We could for sure add a feature which disables this possibility, and only allows the super admin to disable/reset 2FA for a user.
I liked the idea so much that I made a PR for this: DHIS2-14463