Hello,
I hope this message finds you well. I am writing to inquire about the possibility of removing the option for users to disable 2FA (Two-Factor Authentication) on their own. Currently, when 2FA is enabled by an administrator, the corresponding feature appears on the user’s settings page. However, I need to ensure that users cannot disable 2FA independently.
Is there a way to implement this functionality?
Thank you for your assistance.
There is an option “Force two factor authentication”. You can give it a check.
Good day, Daniel !
Yes, that’s correct, the “Force two factor authentication” option is enabled both in the admin console and in the seahub_settings.py configuration file (screenshot 1).
However, here’s what happens if the user disables 2FA on their own (screenshot 2).
Indeed, upon the next login, the user is presented with a QR code for 2FA. But the user can click “Cancel” (screenshot 3).
Then the user is directed to the settings page, from where they can access the libraries through the “Notifications” button and reach the main page (screenshots 4, 5).
Moreover, if the user disables 2FA through the settings, they can access the system without 2FA using the mobile client.
Please help, how can this issue be resolved? Why can the user cancel the 2FA registration when Force Two-Factor Authentication is active? The result we need to achieve is to enforce 2FA (Force Two-Factor Authentication) for users.
We enable this option for the user, but the user can still cancel the OTP registration during login and continue using the system without 2FA.
Thanks for discovering the issue. We will give it a check and make a fix in version 12.0.
Good afternoon, Daniel! I have switched to Seafile 12 CE (previously used 11 CE). In version 12 CE, the same issue persists - the ability to bypass 2FA. When will the problem be fixed? It has a serious impact on security.
The fix will be included in the next release.
