Allow the organization owner to control organization settings such as enforce 2FA for all members of the organization and if the emails of members are visible to the owner and/or other users.
Ryan H: Although users can verify from time to time that org members indeed have it switched on, security requirements may require that all members have it on at all times (where users can’t disable it and new org members can’t sign in without it enabled).
Thodoris set the status to Planned
Thodoris: Here is our current idea/plan on this:
We want to offer an org level option to enable Mandatory 2FA which:
- We will only allow enabling this option once every member of the org has enabled 2FA on their account.
- Users w/o 2FA will not be able to join the org after enabling it.
- Mandatory 2FA & exposing member 2FA status to org administrators will be available to all plans.
As a step 1 before being able to implement that, we need to change the “Add user by username” mechanism so that:
- Adding users by username to an org/app should follow the invitation flow.
- Adding by username to an app for a user that’s already a member of the org will be allowed/not need an invite.
- That avoids the concern of exposing user 2FA status (and potentially other info in the future) to org administrators w/o user consent.
A suggestion for Balena: integrate with a platform like WorkOS (https://workos.com/). I’m actually a customer of WorkOS myself, and its super useful for integrating enterprise features such as 2FA but more importantly, SSO. The added benefit of the WorkOS pricing model is that you can pass that cost through to us, your business customers, who want SSO.
You shouldn’t need to role your own for this kind of solution - as a business customer, we want to make sure it works, not that you built it.