Skip to content

Commit

Permalink
Merge pull request #363 from creative-commoners/mfa-is-for-cms
Browse files Browse the repository at this point in the history 
DOCS which members get the MFA flow
  • Loading branch information
@robbieaverill
robbieaverill authored Oct 21, 2019
2 parents cf775ac + 71385fe commit b900351
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
24 changes: 24 additions & 0 deletions docs/en/broadening-the-scope-of-mfa.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Broadening the scope of the MFA flow

## Default behaviour

The EnforcementManager class is responsible for making decisions regarding the multi factor authentication app flow, e.g. "should we redirect to the MFA section", "can the user skip MFA registration" etc.

By default, the MFA flow will only be presented during the login process to members who have access to some part of the CMS or administration area.

## Applying MFA more widely

You can broaden the scope of the MFA flow so it applies to all members, regardless of whether they have CMS or administration privileges or not by setting the following configuration:

```yaml
SilverStripe\MFA\Service\EnforcementManager:
requires_admin_access: false
```
However, note that users without access to the CMS will be unable to access their personal MFA settings and perform actions such as:
* adding additional MFA methods;
* removing, resetting, and changing default MFA methods; and
* resetting recovery codes.
A custom implementation would be required to provide this functionality. Otherwise it would be limited to CMS Administrators to [reset MFA settings](https://userhelp.silverstripe.org/en/4/optional_features/multi-factor_authentication/administrator_manual/resetting_accounts/) for a member on their behalf.
2 changes: 2 additions & 0 deletions readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ automatically.
After installing the MFA module and having at least one method configured, MFA will automatically be enabled. By default
it will be optional (users can skip MFA registration). You can make it mandatory via the Settings tab in the admin area.

The MFA flow will only be applied to members with access to the CMS or administration area. See '[Broadening the scope of MFA](docs/en/broadening-the-scope-of-mfa.md)' for more detail.

### Configuring custom methods

If you have built your own MFA method, you can register it with the `MethodRegistry` to enable it:
Expand Down

0 comments on commit b900351

Please sign in to comment.