Force 2FA for organizations

app:all

#1

In our organization we trying to setup 2FA wherever it is possible. In Bitwarden it is possible but we cannot force it, so every user can choose if he want to set it up or not.
There is also no possibility to see which user has 2FA activated that we can talk to them (Like in Github).

So if it´s not possible to force org members for 2FA we need to see which user haven´t it enabled.


Enforce 2FA on organization members
#2

We have exactly the same issue. At least, show who have not enabled it.


#3

This will soon be possible with Duo 2FA for enterprise organizations.


#4

No chance to make this also for “normal” 2FA available?


#5

‘Normal’ 2FA would be far better than Duo


#6

Duo 2FA for enterprise organizations is now live. See https://help.bitwarden.com/article/setup-two-step-login-duo/

We don’t have any plans for the other “normal” 2FA methods on the organization level since they are not well suited for managing at the organization level. For example, how would you expect to onboard a user to some 2FA method if they are required to have it by an organization and cannot get into their account?


#7

I´m not sure how github or Microsoft handle this exactly but these organizations also offer 2FA with existent users.
So for the first step a simple warning( Your Org wants you to enable 2FA) would be nice, with this and the option to check over the admin center the 2FA status we would be a step forward,

In a second step it could be like github, you can create an account without 2FA but if you want join the organization which require 2FA you need first enable it.


#8

Yes, that’s the happy path, but what if a user is already part of the organization and then removes 2fa? How could we handle situations like this?


#9

This could be two options:

  1. The user don´t have access to org vault when he disable 2FA
    or like github handle this
  2. the user can´t disable 2fa as long as he is part of the org

#10

What if the user needs to disable 2FA through a recovery because they lost their 2FA device?


#11

For that most providers use recovery codes. You don´t need to disable 2fa but with them you can register a new device for 2fa.


#12

I would like this feature too!


#13

It’s very simple:

  1. Organization has require2fa bool flag.
  2. When true, when adding a new member to an organization or collection in the org, check for 2FA, if disabled, send the invite, when the user visits the link, redirect to 2FA setup before the actual collection join. If they refuse to activate 2FA, throw and error and don’t let them join.
  3. If a user in an org/collection with the flag disables 2FA, warn them they will be removed from the collection/org, and need to be re-invited. Then remove them from the org.

This is how github works. The only extra hoop is for the admin to have to reinvite you when you disable 2FA.

To help this, you could also make a new atomic 2FA update option. (aka, a screen that requires a backup code or 6 digit code from the current secret, Then it takes you to another screen that sets up a new secret. And if the new secret confirmation is not completed, the old secret stays active.) that way someone moving to a new device could do so atomically and not be removed from the org.


#14

What about a new setting in the organization ?
Force people to use 2FA : yes/no

If enabled, a user will see shared collections only if he has enabled one of the 2FA providers.
It he has not enabled a 2FA provider yet, or if he disabled it, he can’t see collections.
If he (re-)enables a 2FA provider, he can see collections.

Quite simple, convenient for users as they can choose their own 2FA provider, and improve organization security :+1:


#15

I’m trying Duo Security with the Enterprise plan for Bitwarden to do this. It seems pretty good so far.


#16

We would also prefer this solution. For now we have to check the events log manually to verify that each user have 2FA enabled on their accounts. Luckily the amount of users are low for now.


#17

We would also prefer to enforce 2FA, but without having to use the Duo Security option. Currently on track to roll this out in our company, so being able to enforce this is a huge plus.


#18

We’re currently testing Self Hosted Bitwarden.
I totally agree with others, it can be a real dealbreaker if we can’t enforce 2FA for all organization’s users. (especially when you’re ISO27001 certified, with a lot of recurrent audit reviews)


#20

2FA is not an option any more for organizations, they need to control and manage the way it is set up by users.
The problem with the (excellent) DUO possibility is that if you want to force and mostly manage 2FA, you have to subscribe to the 6$ per user per month payment.
That hugely increase the cost of the password management solution from 3$ for Bitwarden to an additional 6$ (twice more than Bitwarden), which makes a total of 9$ per user per month.
Three time more expansive is completely killing the concept of using bitwarden in enterprise, which is really a pity because it is such an excellent solution compares to other competitors (who even include the 2FA management) :frowning:

Ideal solution would be to have the 2FA management included in bitwarden in the same ways other password management solution do, or having a special partnership competitive offer from Bitwarden+DUO. Beyond a total of 6$ per user per month, it’s completely dissuasive :frowning:


#21

Surely an option would be to just disable access to an organisation’s collections if 2FA is switched off? Access to everything outside collections could continue to work.

Also I believe there is no way for me to run a report on my users to check who has turned their 2FA on?