CloudNebulaProject/barycenter
1
0
Fork 0
mirror of https://github.com/CloudNebulaProject/barycenter.git synced 2026-04-10 21:20:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
barycenter/book/src/authentication/2fa-user-optional.md
Till Wegmueller 39eb8206a1
docs: Add comprehensive mdbook documentation 
Complete documentation site covering all aspects of Barycenter:
Getting Started, Authentication, OAuth 2.0/OIDC, Authorization
Policy Engine, Administration, Deployment, Security, Development,
and Reference sections (96 markdown files).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 17:59:55 +01:00

2.2 KiB
Raw Blame History

User-Optional 2FA

Status: This feature is planned but not yet implemented.

User-optional two-factor authentication will allow users to enable 2FA for their own accounts through a self-service interface, without requiring an administrator to set the flag.

Planned Functionality

When implemented, this mode will provide:

  • Self-service enrollment: Users will be able to enable 2FA from an account settings page, requiring them to register at least one passkey as part of the enrollment process.
  • Self-service disablement: Users will be able to disable self-imposed 2FA from the same settings page, typically requiring a passkey verification to confirm the change.
  • Independent of admin enforcement: User-optional 2FA will coexist with admin-enforced 2FA. If an administrator has already mandated 2FA for a user, the user cannot disable it. If the user enables 2FA voluntarily, the administrator can still override the setting.

How It Will Differ from Admin-Enforced 2FA

Aspect Admin-Enforced User-Optional (Planned)
Who enables it Administrator via GraphQL API User via account settings UI
Who can disable it Administrator only User (unless admin also enforces)
Requires passkey Passkey must be enrolled beforehand Enrollment is part of the setup flow
Stored as requires_2fa = 1 in users table Separate user-preference flag

Current Alternatives

Until user-optional 2FA is available, the same outcome can be achieved through:

  1. Admin-enforced 2FA: An administrator can enable 2FA for individual users using the setUser2faRequired mutation. See Admin-Enforced 2FA.
  2. Context-based 2FA: Applications can require 2FA for specific operations by requesting high-value scopes or setting a low max_age.

Tracking

This feature is tracked in the project's pending work. Contributions are welcome -- see Contributing for guidelines.