Allow the organization owner to control organization settings such as enforce 2FA for all members of the organization and if the emails of members are visible to the owner and/or other users.
Ryan H: Although users can verify from time to time that org members indeed have it switched on, security requirements may require that all members have it on at all times (where users can’t disable it and new org members can’t sign in without it enabled).
Thodoris set the status to Planned
Thodoris: Here is our current idea/plan on this:
We want to offer an org level option to enable Mandatory 2FA which:
- We will only allow enabling this option once every member of the org has enabled 2FA on their account.
- Users w/o 2FA will not be able to join the org after enabling it.
- Mandatory 2FA & exposing member 2FA status to org administrators will be available to all plans.
As a step 1 before being able to implement that, we need to change the “Add user by username” mechanism so that:
- Adding users by username to an org/app should follow the invitation flow.
- Adding by username to an app for a user that’s already a member of the org will be allowed/not need an invite.
- That avoids the concern of exposing user 2FA status (and potentially other info in the future) to org administrators w/o user consent.
A suggestion for Balena: integrate with a platform like WorkOS (https://workos.com/). I’m actually a customer of WorkOS myself, and its super useful for integrating enterprise features such as 2FA but more importantly, SSO. The added benefit of the WorkOS pricing model is that you can pass that cost through to us, your business customers, who want SSO.
You shouldn’t need to role your own for this kind of solution - as a business customer, we want to make sure it works, not that you built it.
Just a quick update on this… We’ve completed some of the preliminary tasks mentioned in the system update above and users can no longer be added to organisations without their consent.
We’ve still got work to do to enable org level management and visibility of 2FA status, which we’ll keep you updated on when we’re able to prioritise.
On a related note, and in case anyone missed it, we released Single Sign-on (SSO) for all balenaCloud orgs last year, which utilizes SAML (Security Assertion Markup Language) and allows users to integrate their existing identity provider with balenaCloud, streamlining the login process and providing a secure, centralized authentication system for entire organizations.
With SAML SSO, managing user access becomes more efficient, reducing the risk of unauthorized access and enhancing overall security.