Perhaps dependent of having Require single sign-on authentication enabled.
It obviously should not apply to owners and admins of the Enterprise Organization (as they can not login with SSO).
This way, we admins, could force MFA at the IdP level and keep having the possibility of helping users that lost their second factor (which we can’t if that lost factor is a Bitwarden’s two-step-login method).
@kpiris As you also aim at SSO, I think your request essentially is the same as: Ability to Disable User-Added 2FA When SSO Is Enforced - do you agree?
Not really.
Although it has almost the same practical implications.
But I would argue to keep this one FR as it seems to me that it would be less problematic to implement than the other one you pointed at (thanks for that, btw).
I also think it would be less intrusive to users not letting them enable something than an admin being able to disable something they set up some time ago.
Btw, I would be happy if Bitwarden implemented any of these two FRs.
Now that I read that FR again I see that the tittle and the actual request ask two slightly different things.
Hm. Now I looked into it again as well.
I think you are talking about SSO - and want to hinder users from enabling 2FA.
The other feature request is also talking about SSO - and wants to disable user’s 2FA.
In your request: what would happen with users, that already activated 2FA? I guess you want to be able to disable 2FA then as well?
Maybe I misinterpret you, but it seems to me, those two feature requests could be merged as you both want to achieve the same thing in the end, right? (to be able to deactivate the user’s 2FA when using SSO)
That’s exactly what I thought when I read that FR’s title:
Ability to Disable User-Added 2FA When SSO Is Enforced
But when I re-read the body of the FR:
He seems to be requesting exactly the same as I am.
I don’t want to be able to disable two-step-login for our users who enabled it.
If users had previously activated it when activating the policy, I guess it happen exactly the same that happens with other policies:
warning
Organization members who are not owners or admins and do not comply with this policy will have access revoked when you activate this policy. Users who have access revoked as a result of this policy will be notified via email, and must take steps to become compliant before their access can be restored.
It depends on what the other FR is really requesting: if he is requesting to be able to deactivate two-step-login for users that have previously activated it on their accounts, then I would prefer the two FRs not to be merged, as they are essentially different.
If the other FR is requesting the same that I am, of course they should be merged.
I agree that the end goal of both FRs is the same, but the means to that end are different, and the difference is important, IMHO.
@kpiris Hm, thanks for that comprehensive response!
I have given it some thought now and revisited both requests – and would think now, that in practical terms both “request variations” would have the same effect… wouldn’t they?
I understand that difference, but is it a difference? You quoted yourself the “warning” message - and wouldn’t that mean that any policy, when exercised, implies that users have “to become compliant before their access can be restored”?
So even if you (or OP of the other FR) don’t want “to deactivate two-step-login for users” – with such a policy, they’d have to deactivate 2FA themselves (if it was activated) to follow the policy. Right? (–> a policy of an Organization is not optional when enforced - users have to comply → and then it really doesn’t matter, in regard to the two FRs, if a user doesn’t have 2FA activated and already complies or has to deactivate it in order to comply)
What do you think?
PS: So, if it was too implicit: I would merge… title and wording could be slightly adapted - and further discussions are then always possible of course.
IMO it is a (big) difference.
Disabling a user’s two-step-login is something serious that bitwarden support will never do if asked to. And to be coherent, I think an admin should also not be able to do.
Forcing a user to do it himself (to become compliant with an organization policy) is totally different.
I will repeat myself, i don’t mind merging at all, if that FR is requesting the same that I am (which I can’t categorically affirm).
I should have added “(but is it a difference) in practical terms?”… as I then wrote.
I think I’ll do something completely crazy now – and just ask them.