Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Per #2371315: Remove UID 1 enforcement of TFA and allow hooks to require, TFA Basic could implement a TFA setup requirement to force people to have set up TFA in order to log in.
Patch at https://www.drupal.org/node/2371315#comment-9624453 can be ported to TFA Basic.
| Comment | File | Size | Author |
|---|---|---|---|
| #10 | 2457823-tfa-basic-required-10.patch | 6.32 KB | coltrane |
| #9 | 2457823-tfa-basic-required-9.patch | 3.44 KB | coltrane |
| #8 | 2457823-tfa-basic-required-8.patch | 3.43 KB | coltrane |
| #7 | 2457823-tfa-basic-required-7.patch | 3.34 KB | coltrane |
| #1 | 2457823-tfa-basic-required.patch | 2.23 KB | coltrane |
Comments
Comment #1
coltraneTo start, here's the old functionality from TFA module.
Comment #2
coltraneComment #3
scor commentedI agree something needs to be done to avoid locking UID 1 out of the site as described in #2371315: Remove UID 1 enforcement of TFA and allow hooks to require. In the end we're talking about replacing the 'require TFA' permission with a new permission 'bypass tfa setup', which makes total sense when rolling out TFA onto an existing site. However, just as the 'require TFA' had the unintended consequence of locking UID 1 and any user with the administrator role w/o TFA setup out of the site, in the case of the proposed new permission 'bypass tfa setup', it means that it will not be possible to lock any account that doesn't have TFA setup. In other words, once this module is enabled, UID1 (or any user with the "admin role") will have the permission to bypass TFA setup, allowing any attacker who manage to guess the password of any of those accounts to setup TFA and take over the account. Having a grace period to let people setup TFA is great, but there should be a way to lock any account that hasn't setup TFA within the grace period.
I'm wondering if instead of a user permission, we should use a multi-choice checklist, for example:
Roles allowed to bypass TFA during the login process:
[ ] authenticated user
[ ] administrator
[ ] editor
If you feel this is better as a separate feature request, then I'm happy to create it, but regardless we should be aware of the consequences of implementing the bypass feature as a user permission.
Comment #4
scor commentedQuick nitpick on the 'bypass tfa setup' permission. If I understand this properly, we're actually not bypassing the TFA setup during login. What we're bypassing is the requirement to have already setup TFA (which is the default requirement w/o this new permission). Maybe a better permission name would be 'bypass tfa'.
Also, the way I understand the current patch is that someone with that new bypass permission could very well decide to never setup TFA on their account, and leave it open to hackers to compromise the account with just a password. Another reason why it's dangerous to automatically grant that permission to UID 1 per my previous comment.
Comment #5
coltraneGreat point @scor! As always I really appreciate your feedback :).
It's true that any role-based selection will have the UID 1 loophole so let's just move it to a TFA-specific setting. Your proposal in #3 seems appropriate for this issue.
Comment #6
scor commentedAnother side effect of the bypass permission that I'm noticing while testing the patch #1: given that authenticated users are not granted the bypass tfa permission by default, they are locked out as soon as TFA is enabled. Maybe we should grant this bypass permission to the authenticated user role to make the TFA roll out easier, or switch to my proposal in #3. Looks like we're in agreement @coltrane...
Comment #7
coltraneAttached patch implements recommendation from #3
Once TFA is enabled all users will be locked out so perhaps administrators should be allowed by default to bypass (and messages set so the person setting up TFA doesn't forget to remove the bypass) or the user setup page control from #2371315: Remove UID 1 enforcement of TFA and allow hooks to require should be ported over.
Comment #8
coltraneAnd this patch flips from a bypass to a required, since the original functionality that's being removed in #2371315: Remove UID 1 enforcement of TFA and allow hooks to require was about requiring TFA setup for certain roles.
This way, an admin can enable TFA and allow anyone to set it up and after awhile start requiring it for all admins or other privileged roles.
Comment #9
coltraneRe-roll to catch hook rename to 'tfa_ready_require' https://www.drupal.org/node/2371315#comment-9867465
@scor, any feedback/review?
Comment #10
coltraneFound that there were message on the disable form that needed to be updated for this feature. This patch also fixes #2333773: TFA disable warning always applies to UID 1
Comment #12
coltraneI committed #10.
Comment #13
scor commentedThanks for implementing this fix Ben. Sorry I couldn't test your patch earlier. I tested 7.x-1.x and the workflow works great aside from #2481215: PHP notices when no fallback setup.
Here is the workflow I tested:
- created user with admin role
- set admin role to be a required TFA role using the new checkboxes implemented in the patch
- user was not able to log in (error message saying to contact site admin)
- removed admin role from user
- user was able to log in and set up TFA (I had given the Set up TFA for account permission to auth user role)
- user logged out
- granted admin role to user
- user was able to log in with TFA