Is there a way to force TFA for all users?

[DrQuincy]

Just that really. I'm using Ryan's TfaEmail module. I can force this on users by role in LoginRegisterPro — but how can I do it for back-end users? Is it possible? I.e. So any already created users use it and also any futures ones — and prevent it from being switched off.

Thanks.

[AndZyk]

Hello @DrQuincy,

have you tried this:

Quote

Here’s how it’ll work. You’ll install the TfaEmail module, and in the ProcessLogin module settings, you’ll be able to select the roles that TFA is required for (like you currently select the roles that TFA is “recommended” for). When a user logs in and has TFA required, then they’ll see the auth-code screen, along with a message telling them to check their email for the code. At this point, users may also select the “remember me” option.

Source: https://processwire.com/blog/posts/pw-3.0.159/

Regards, Andreas

[DrQuincy]

Thanks for the link! There is no such option on the TfaEmail module page. I only get two settings for the code, the “from” email and the method of sending the email.

I get that option in LoginRegisterPro — but not for back-end users.

[AndZyk]

You have to look in the ProcessLogin module settings. You can find it in the core modules or with the search function. 😉

[DrQuincy]

Ah-ha, there it is, thanks @AndZyk!

[AsherBlake]

Yes, you can enforce the TfaEmail module for back-end users by modifying the user roles or permissions directly in the backend. You could write a script that updates existing users to require TFA and ensures that it's always enabled for new users. Also, make sure to lock the setting to prevent any user from disabling it.

Edited March 10 by AsherBlake