Problem/Motivation
The Excluded section of the configuration for this module makes the assumption, I guess, that users with high enough permissions don't need to bother with 2 factor authentication, while less privileged users do. But in my case, less privileged users (with just the authenticated role) don't have any power, so we don't require 2fa for them. Meanwhile, admins can do lots of stuff, so we want to ask them to jump through more hoops to log in.
Right now I can exclude certain roles from using 2FA, including the "Authenticated" role. But doing that means anyone with any higher level of permission is also excluded. Essentially, if I exclude the "Authenticated" role I've affectively disabled the module for every logged-in user.
Steps to reproduce
- Set up the module to require 2fa with the "Authenticated" user excluded, but all other higher-level permissions enabled.
- Log in as a user with a higher role, like an Administrator
- See no 2fa prompt
-
Here's my example setup:
Proposed resolution
There's ambiguity in the "Exclude roles" field that we could clear up by adding another field, and this would also allow us to add logic to force only Admins to use 2fa. Here's my proposed screenshot:
This adds a field that allows users to switch the logic of the "Excluded Roles" field between "Disable Email TFA for users with any of the following roles" which is what the module does now, and "Force Email TFA for users with any of the following roles" which is what I need. I'll add a patch for this in the next comment.
Remaining tasks
Add patch
User interface changes
New field on the Settings page that lets you choose the type of exclusion rules applied by Role. The existing logic will be assumed to be the default, so the module will be backward-compatible even if the config change is undone.
Data model changes
New schema field "role_exclusion_type".