20002: Create 2FA enforcement setting for 2FA plugin - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

20002	Bug reports	Authentication	public	2025-03-11 17:27	2025-03-25 14:35

Reporter	c_schmitz	Assigned To	DenisChenu
Priority	urgent	Severity	feature
Status	closed	Resolution	fixed
Product Version	6.6.x
Fixed in Version	6.6.x

Summary	20002: Create 2FA enforcement setting for 2FA plugin
Description	Currently the 2FA plugin does prompt to set up 2FA. but it does not not enforce it, contrary to the settings name in the plugin ("force2fa"). Task: Add an option to the 2FA plugin that does proper enforcment of 2FA. The user should not be able to execute any further actions (except maybe to log out) in the application until 2FA is properly set up. Rename the current setting description to "Enforce 2FA on login" with the following options: `'0 ' => 'No', '1' => 'Only prompt, no enforcement', '2' => 'Always enforce',` Setting 1 is the current prompt behavior. Setting 2 is the new real enforcement.
Steps To Reproduce	Log in as superadmin, Activate the 2FA plugin. Set "Prompt to activate 2FA on login" to 'yes'. Log out and log in again, see that your are only prompted to set up 2FA but you can skip it.
Tags	No tags attached.

Bug heat	4
Complete LimeSurvey version number (& build)	6.6
I will donate to the project if issue is resolved	No
Browser
Database type & version	.
Server OS (if known)
Webserver software & version (if known)
PHP Version	.

User List	There are no users monitoring this issue.

DenisChenu 2025-03-12 00:51 developer ~82229	My opinion : 2FA must happen after login : Connect with user/pass If OK : show 2FA code If OK : connect If 'Always enforce' is set : 2 replaced by "Show 2FA creation form"

DenisChenu 2025-03-14 15:16 developer ~82241	Need to add an event plugin

DenisChenu 2025-03-14 15:24 developer ~82242	`'2' => 'Always enforce',` too `'2' => 'Always enforce 2FA activation and authentication',`

DenisChenu 2025-03-14 16:55 developer ~82243	https://github.com/LimeSurvey/LimeSurvey/pull/4202

DenisChenu 2025-03-14 17:31 developer ~82247	After reflection: I leave TwoFactorAdminLogin with SAML and other redirect system, and Setting LDAP as default method of authentication disables 2FA input on login screen. For redirect : must add an option : some user can want 2FA for internal user only, but not for CAS or OAuth plugin because CAS and OAuth can have their own 2FA.

tibor.pacalat 2025-03-19 11:33 administrator ~82287	Tested and merged! Please update the manual :)

DenisChenu 2025-03-19 17:50 developer ~82293	https://www.limesurvey.org/manual/index.php?title=TwoFactorAdminLogin&oldid=379777&diff=379790

Date Modified	Username	Field	Change
2025-03-11 17:27	c_schmitz	New Issue
2025-03-11 17:28	c_schmitz	Priority	none => high
2025-03-11 17:30	tibor.pacalat	Assigned To	=> DenisChenu
2025-03-11 17:30	tibor.pacalat	Status	new => assigned
2025-03-12 00:49	DenisChenu	Relationship added	related to 17693
2025-03-12 00:50	DenisChenu	Relationship added	related to 17434
2025-03-12 00:51	DenisChenu	Note Added: 82229
2025-03-12 00:51	DenisChenu	Bug heat	0 => 2
2025-03-13 14:16	tibor.pacalat	Priority	high => urgent
2025-03-14 15:16	DenisChenu	Note Added: 82241
2025-03-14 15:24	DenisChenu	Note Added: 82242
2025-03-14 16:55	DenisChenu	Note Added: 82243
2025-03-14 16:55	DenisChenu	Assigned To	DenisChenu => tibor.pacalat
2025-03-14 16:55	DenisChenu	Status	assigned => ready for code review
2025-03-14 17:31	DenisChenu	Note Added: 82247
2025-03-14 17:39	c_schmitz	Status	ready for code review => ready for testing
2025-03-19 11:33	tibor.pacalat	Assigned To	tibor.pacalat => DenisChenu
2025-03-19 11:33	tibor.pacalat	Note Added: 82287
2025-03-19 11:33	tibor.pacalat	Bug heat	2 => 4
2025-03-19 17:50	DenisChenu	Note Added: 82293
2025-03-19 17:50	DenisChenu	Status	ready for testing => resolved
2025-03-19 17:50	DenisChenu	Resolution	open => fixed
2025-03-19 17:53	DenisChenu	Relationship added	related to 20023
2025-03-25 14:35	c_schmitz	Status	resolved => closed
2025-03-25 14:35	c_schmitz	Fixed in Version	=> 6.6.x

related to	17693	confirmed		Bug reports	LDAP and 2FA plugin conflict
related to	17434	assigned	DenisChenu	Feature requests	TwoFactorAdminLogin work only with AuthDB
related to	20023	new		Feature requests	Add remote control allowed to Permission