Skip to content

Add ability to enforce 2FA for all members of the team #5855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zoldar merged 23 commits into from
Nov 4, 2025
Merged

Add ability to enforce 2FA for all members of the team #5855

zoldar merged 23 commits into from
Nov 4, 2025

Conversation

@zoldar
Copy link
Contributor

@zoldar zoldar commented Oct 30, 2025
edited
Loading

Changes

Depends on #5868 merged

This PR introduces ability to enforce 2FA for members of the team. It can only be toggled by team owners.

There's a new section under "Team Settings" > "General" called "Force Two-Factor Authentication"

image

Enforcement can be toggled on and off at any time, but only by one of team owners:

image

Additionally, disabling enforcement of 2FA requires password confirmation for added security:

image

Members trying to access team with "Enforce 2FA" enabled but without 2FA setup yet are forcibly redirected to the first step of 2FA setup:

image

User in such situation can either finish the setup or switch to another team. However, whenever they switch to the team with enforcement enabled they will be redirected to the setup until they complete it.

An e-mail notification is sent to all team members (except the owner user triggering the change) to help clarify why they got locked out of their dashboard:

image

Technicalities

The flag is stored in team's policy embed as an additional force_2fa property which defaults to false.

As this feature is available from both CE and EE, the policy embed is getting expose in CE as well. The column is added to CE in a CE-only migration which will be extracted from this PR once it's reviewed.

The gating is done by RequireAccount plug as the guarded routes perfectly overlap for both. The 2FA setup routes and team switch route are excluded from enforcement check, similarly like email verification routes are excluded for unverified user enforcement.

Tests

  • Automated tests have been added

Changelog

  • Entry has been added to changelog

Documentation

  • Docs have been updated

Dark mode

  • The UI has been tested both in dark and light mode

@zoldar zoldar added the preview label Oct 30, 2025
@github-actions
Copy link

github-actions bot commented Oct 30, 2025

Preview environment👷🏼‍♀️🏗️
PR-5855

@zoldar zoldar force-pushed the force-2fa branch 5 times, most recently from 1ee0e1b to 6c1b2ac Compare November 4, 2025 00:01
@zoldar zoldar changed the title Force 2fa Add ability to enforce 2FA for all member of the team Nov 4, 2025
@zoldar zoldar marked this pull request as ready for review November 4, 2025 09:58
@zoldar zoldar requested a review from a team November 4, 2025 09:58
@zoldar zoldar changed the title Add ability to enforce 2FA for all member of the team Add ability to enforce 2FA for all members of the team Nov 4, 2025
ukutaht
ukutaht reviewed Nov 4, 2025
View reviewed changes
@zoldar zoldar requested a review from ukutaht November 4, 2025 14:14
@zoldar zoldar mentioned this pull request Nov 4, 2025
Merged
@zoldar zoldar added this pull request to the merge queue Nov 4, 2025
Merged via the queue into master with commit a07aaa6 Nov 4, 2025
16 checks passed
@zoldar zoldar deleted the force-2fa branch November 4, 2025 16:37
@zoldar zoldar mentioned this pull request Nov 4, 2025
Merged
1 task
This was referenced Nov 24, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ukutaht ukutaht ukutaht approved these changes

Assignees

No one assigned

Labels

preview

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zoldar @ukutaht