Hi All, I've implemented 2FA as specified here - https://docs.umbraco.com/umbraco-cms/reference/security/two-factor-authentication#login-with-2fa-enabled, I just wondering if it's possible to enforce this so back office users have to use 2FA to sign in, rather than it being optional. Thanks

Hi, we had the same issue some time ago. Umbraco support told us at that time there is no way to enforce it. (at least not out of the box). You can always suggest it as an enhancemant in the repo

Having some "disagreements" with some very well paid experts about what protection this actually gives. If the password can't be brute forced... if the password is compromised, then it's likely the user's phone is.. so.. what's the point?

Having implemented 2FA on quite a few sites now I can say that the documentation is quite good and easy to implement and clients may not want 2FA, and as such I believe that it should remain optional.

@pdqumbraco recently did something like this to enforce it through the Umbraco Backoffice UI. https://gist.github.com/markadrake/f6c00123ad177e7d4395849c079ab0e9

It is SUPER effective against users who reuse passwords all the time. And they do because password management is hard. Ask them how many phones they've actually managed to compromise themselves. For the VAST majority of users it is way way way too much work to compromise a phone. Unless you're protecting something that's very attractive, you probably don't need to worry about phone intrusion.

Reluctantly agree 😂

Looks good Mark, I'll give it a look

Thanks for the pointers @Mark Drake ! I modified it to show an overlay for the user to give a bit more information into what they were seeing - https://gist.github.com/Rockerby/3dce3a47c8657a7fa4a7fbcb7bd73190 I now need to work out a way to only show this to users who logged in locally and not show to external logins.