-
Notifications
You must be signed in to change notification settings - Fork 5
Include MFA modules #35
Comments
@brynwhyman Is this a duplicate of the Epic: MFA is in CWP by default? |
@chillu no, https://github.com/silverstripeltd/product-issues/issues/153 was created as an internal epic to capture all related work under one card. |
I'd like to suggest that we leave out the Security token option as what's included in the CWP module by default. There's a number of edge cases and potential for havoc without the site owner and development agency taking the time to understand these before requesting this option, including:
There's another open issue suggesting to disable the security token functionality if the subsites module is installed, but that's not covering all the edge cases. I believe something like this should still happen, but it shouldn't block sites getting access to the much more popular and accessible MFA method, TOTP. |
@Cheddam has noted that there's at least one issue in the login-forms module that we'll want to look at as part of this issue. Will add to our internal epic. |
We're talking about a few different options to actually make this happen. Should we:
Or:
|
Bryn mentioned internally that the current inclination is to leave it out of the recipes, which would introduce
So in summary, I recommend that we use the third option described here:
Also, the installer would only include the TOTP MFA method, not the WebAuthn method since that requires a bit more thought by developers (subsites, multi env usage). This should be outlined in the upgrade docs though, to ensure that WebAuthn is actually considered. It's far more secure than TOTP (lower phishing potential, domain verification built in) |
I'm also advocating for the same approach in core: Add this to the installer rather than recipes. silverstripe/silverstripe-installer#280 |
Thanks for the comments @chillu, I agree that pushing it through the CWP-installer is still a good thing to do. Do you have any ideas on how to ensure that Developers get the TOTP encryption key .env variable? It's on the CWP platform by default so a deployed site would be covered, but can we only rely on documentation to ensure Developers are aware of this? |
I've moved this issue to the cwp-installer repository and update the description to focus on getting the modules added to this repo and some related changelog notes. Other points around futher documentation will be captured in this issue: silverstripe/cwp#269 |
Within the scope of CWP, it's a default on Revera, and hopefully soon a default on AWS. Until that point, I think we need to add something to https://www.cwp.govt.nz/developer-docs/en/2/getting_started/ |
Alright, we'll have that covered in silverstripe/cwp#269 |
I think this AC can be removed, it's already covered in: silverstripe/cwp#269 |
Overview
With the next minor release of CWP, the multi-factor authentication module suite should be included for all new sites built with the cwp-installer.
What's in the MFA module suite?
Security token, via WebAuthnsee comment belowAcceptance Criteria
The change log for the associated CWP release includes clear guidance on:What MFA functionality will be includedDirect readers to documentation on getting the modules running on a local development environmentNotes
Pull Requests
The text was updated successfully, but these errors were encountered: