I’d like to have the ability to turn on 2fa for a single person and\or by group. Currently is appears that you can only set a policy to force 2fa for the organization.
@bharper Welcome to the forum!
What is the reason why you want users to not use 2FA? This puts their vaults at great risk.
With enterprise SSO you can enforce MFA at the IdP.
There is a policy to force all users except organization owners and admins to login through the 3rd party IdP.
I, for one, would like to be able to force owners and admins to use bitwarden 2SV but not for the rest of the users. Because for the latter ones I enforce it at the IdP.
Right now I have to tell owners and admins that they need to configure 2SV on their bitwarden accounts, and trust that they will listen to me.
Although, honestly, in our case, it is not a very big deal, organization owners and admins should be trustworthy anyway.
“Should” doesn’t mean “are”. My suggestion is, if you are the technical expert, force everyone to set up 2FA. For the ones who complain, explain why, even though they may be trustworthy etc., you are requiring this step to protect the organization.
As I said, I already force MFA on all [1] bitwarden users with enterprise SSO at the IdP [2]. I don’t want to force them to also set up bitwarden 2SV. It’s unnecesary (from a security perspective) and results in a worse user experience.
[1] on all except owners and admins, as they can not login through enterprise SSO 3rd party IdP.
[2] And with our IdP’s policies I can fine tune which MFA method I want to enforce depending on several factors. For example, I could:
- allow a code sent by email if the user is logging in from our office.
- disallow email, but allow a push notification if the user is in our country.
- allow only webauthn with a platform authenticator if the user is abroad.