Improve 2FA and auth management
Right now, there is no way to require Google auth or to require 2FA. The only way to enforce 2FA for a team is to check the team mangagement page. However, since some users may have only used Google auth to login, they will show up in this view as not having 2FA, creating auditing headaches. Please
- indicate if a user does not have 2fa because they do not have a password vs just not having 2fa
- ideally, add the ability to require 2fa and/or Google auth for all team members
Tomer Levin commented
For me even just seeing a little Google icon in Access Manager would be a big step. Currently I'm forcing my users to login w/o Google, just so I'll be able to see the little blue "MFA" badge. I mean, all of us G-Suit users that care about this probably already force MFA for all google accounts in the organization, so just showing us if the user has authenticated with Google, assures us he's got MFA on.
All of that said, since I see my specific need is a little narrower than this ticket, should I open a separate one, or is it better to join forces?
AdminFuat (Admin, MongoDB) commented
Thank you for the feedback. I want to clarify that MFA can be enforced for users authenticating with their MongoDB cloud accounts. When users access Atlas with federated authentication (Google or SAML), MongoDB does not get the information whether the authentication happened with MFA, and it relies on MFA enforcement at the identity provider. We are closely watching this feature to improve the experience.
This is a huge issue from a security/auditing standpoint.
In algolia and similar SAAS enabling 2FA still requires the 2FA for the PAAS regardless of the authentication source.
So Google SSO signin > SAAS service 2fa prompt > logged in.
Atlas' method works fine for us as we have 2fa forced in google apps but makes the alerts pointless as they warn us that google users dont have 2fa.
Kushal, good suggestion. I would suggest as well, that it's a little more serious than just showing an indicator though. Consider:
1. Setup 2FA on your account by logging in with your user/pass (org has 2FA mandatory set).
2. Then, login to your account using Google Auth (matching email). There's nothing stopping you doing this and as admins we can't turn it off
3. 2FA is now REMOVED from your account (silently, no notification to the user at all). Your email/password credentials are still valid though.
4. Now, if an unauthorised user gets access to the user/pass and tries to login they are presented with a 2FA enrolment process. They complete this and take over the account.
This isn't very secure and in fact is pretty much a nightmare scenario. One of two things needs so happen:
1. Google auth doesn't remove the 2FA setting on the account OR
2. Logging in via Google should clear your password credentials, making it impossible to login via user/pass
At the moment, it's easy for a standard user to silently/unknowingly remove 2FA from their account and revert it to user/pass only.
@Mongo can you fix this issue urgently pls. This is a significant security risk for cloud mongodb accounts.
Kushal, Require MFA is available under Organization -> Settings -> Require Two-Factor Authentication
However, agree it's unclear if a user has used "Log in with Google" to log in. Organization -> Access Manager will show if a user has enabled 2FA next to the user display name with "√ 2FA".
It would be great to show if Google auth is enabled for a user.