Project

General

Profile

Actions

Feature #35086

closed

Please consider changing the way how 2FA is set up

Added by robert heiler almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid

Description

Hey guys,

I don't want to write too much, so it is not hard for you to handle this
issue.

Recently the ruby bug tracker has been changed to require 2FA.

This is a problem for me as I don't have a smartphone, so the change
locked me out of the bug tracker.

Anyway - this is not about that; I would like to suggest a few things.

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

We should be able to log out (sign out) again.

Anyway this is a smaller part.

(2) The bigger issue is that I don't get any information about
WHY 2FA is suddenly used, and who enabled it. Yes, I get it,
the site owner did so, but perhaps the site owner was not aware
that this will effectively perma-ban some users. Not everyone
has a smartphone or can use 2FA. I already explained this
on rubygems.org the github issue tracker, that mandatory 2FA
means I can no longer use rubygems, so I'd have to remove
my account at rubygems.org (whereas at github I could still
publish that code, so this is weird...)

Please consider (2), because it means that the admin of a
site may accidentally retire people from ruby, without
even intending to do so. To me this is a dealbreaker,
because it means I can no longer use the official bug tracker
of ruby, which then means I can no longer voice my concern
(I don't use emails really ... never liked emails in ~over
20 years...). That means I'd become a second class citizen
to ruby, compared to other users, and since I have no intention
to accept this, it would effectively mean that I would also
abandon ruby in the long run.

Ruby is a great language, but to me mandatory 2FA is not
acceptable. While this is not the fault of redmine itself,
I think usability wise several things could be improved.

I assume none of you guys so far thought about how this
could cause friction and strife, so hopefully the way how
2FA is explained to users can change in the long run. I
had slowly collect that information since nothing
was announced anywhere! Suddenly from one day to the
other I was slapped into the face with that 2FA wall,
so perhaps you can understand my frustration here.


Related issues

Related to Redmine - Defect #35087: Users without two-factor authentication enabled cannot sign out when two-factor authentication is requiredClosedGo MAEDA

Actions
Related to Redmine - Feature #34070: Allow setting a grace period when forcing 2FANewMarius BĂLTEANU

Actions
Related to Redmine - Feature #31920: Require 2FA only for certain user groupsClosedMarius BĂLTEANU

Actions
Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions #1

Updated by Go MAEDA almost 3 years ago

  • Related to Defect #35087: Users without two-factor authentication enabled cannot sign out when two-factor authentication is required added
Actions #2

Updated by Go MAEDA almost 3 years ago

robert heiler wrote:

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

We should be able to log out (sign out) again.

I have posted a patch for this: #35087

Actions #3

Updated by Go MAEDA almost 3 years ago

I think it is not a problem with Redmine itself that the admin of bugs.ruby-lang.org suddenly set two-factor authentication required, but what do you think should be done to improve Redmine for this?

Actions #4

Updated by Marius BĂLTEANU almost 3 years ago

I think the following two open issues will improve the current 2FA implementation:
Actions #5

Updated by Marius BĂLTEANU almost 3 years ago

  • Related to Feature #34070: Allow setting a grace period when forcing 2FA added
Actions #6

Updated by Marius BĂLTEANU almost 3 years ago

  • Related to Feature #31920: Require 2FA only for certain user groups added
Actions #7

Updated by Marius BĂLTEANU almost 3 years ago

  • Related to Feature #1237: Add support for two-factor authentication added
Actions #8

Updated by Go MAEDA over 2 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

robert heiler wrote:

(1) Right now if you click "sign out" you can not sign out because
the 2FA wall shows up:

"The administrator requires you to enable two-factor authentication."

This should be different. It should ALWAYS be possible to sign out
again. Sure I can use cookies or use another browser, but I logged
into my account of ~13 years just now. Now the 2FA wall prevents me
from doing anything, including "sign out". This is not good UI.

Fixed in #35087. Thank you for pointing it out.

(2) The bigger issue is that I don't get any information about
WHY 2FA is suddenly used, and who enabled it.

We cannot do anything about this. Please contact admins of https://bugs.ruby-lang.org/ or consider using a 2FA app that runs on PC.

Actions #9

Updated by Marius BĂLTEANU about 2 years ago

Some updates:
  • #31920 (require 2FA for some groups) is already committed.
  • #34070 (2FA grace period) and #35439 (Require 2FA only for administrators) are ready and they will be committed in the following days.

With these options, the 2FA activation process should be easier.

Actions

Also available in: Atom PDF