Improve 2FA and auth management
Right now, there is no way to require Google auth or to require 2FA. The only way to enforce 2FA for a team is to check the team mangagement page. However, since some users may have only used Google auth to login, they will show up in this view as not having 2FA, creating auditing headaches. Please
- indicate if a user does not have 2fa because they do not have a password vs just not having 2fa
- ideally, add the ability to require 2fa and/or Google auth for all team members
In algolia and similar SAAS enabling 2FA still requires the 2FA for the PAAS regardless of the authentication source.
So Google SSO signin > SAAS service 2fa prompt > logged in.
Atlas' method works fine for us as we have 2fa forced in google apps but makes the alerts pointless as they warn us that google users dont have 2fa.
Kushal, good suggestion. I would suggest as well, that it's a little more serious than just showing an indicator though. Consider:
1. Setup 2FA on your account by logging in with your user/pass (org has 2FA mandatory set).
2. Then, login to your account using Google Auth (matching email). There's nothing stopping you doing this and as admins we can't turn it off
3. 2FA is now REMOVED from your account (silently, no notification to the user at all). Your email/password credentials are still valid though.
4. Now, if an unauthorised user gets access to the user/pass and tries to login they are presented with a 2FA enrolment process. They complete this and take over the account.
This isn't very secure and in fact is pretty much a nightmare scenario. One of two things needs so happen:
1. Google auth doesn't remove the 2FA setting on the account OR
2. Logging in via Google should clear your password credentials, making it impossible to login via user/pass
At the moment, it's easy for a standard user to silently/unknowingly remove 2FA from their account and revert it to user/pass only.
@Mongo can you fix this issue urgently pls. This is a significant security risk for cloud mongodb accounts.
Kushal, Require MFA is available under Organization -> Settings -> Require Two-Factor Authentication
However, agree it's unclear if a user has used "Log in with Google" to log in. Organization -> Access Manager will show if a user has enabled 2FA next to the user display name with "√ 2FA".
It would be great to show if Google auth is enabled for a user.