Is it possible to disable MFA for specific users and enable it for eveyone else?
Ive only added admin and one other user under advanced settings and a different user is STILL being asked for MFA token. No, that user is NOT in a group that is flagged under advanced for MFA use.
Using latest Ubuntu based deployment
Mind you providing more details about this statement? Do I understand correctly, that you have set up group where you (admin) and one another user and this group is eligible for enabling mandatory 2FA but the code is required for the user who is not in the group or in the separate list?
Also, please let me know versions of all components of the portal. You can find those in Update tab of the Control Panel.
We have tested the situation with MFA being asked for the users that are not in the list/group under Mandatory Two-factor authentication setting and, unfortunately, currently this feature is bugged.
We registered a bug based on this behavior and have already started working on it.
Thank you for reporting this issue and sorry for the inconvenience caused.
I’ve a work qaround for now by tying non-MFA access to a subnet.
Hello again @ivan
I’ve got some new information on the MFA. I have found out that current behavior is not bugged, here is description of how feature works:
- If MFA is set to Disable - no code is required for any users to log in;
- If MFA is enabled either by SMS or Authenticator app - code is required for everyone.
a) If in Trusted Networks any IPs are specified and user logs in under the IP in this list - code is not required;
b) If user is in Mandatory Two-factor authentication list or group - code is required anyway even though user logs in under a trusted IP.
With that said, according to your description of the problem, you have MFA enabled with Authenticator app which means that you have MFA enabled for everyone on the portal (clause 2). You can now set up Trusted Networks section for the users that should not be asked for the code when logging it.
I hope it brings some more clarity to the topic.
This helps a lot.
Perhaps add to a FAQ for OO in case anyone else finds the “non bug”
PLS close ticket and thanks for follow up