Allow a Tenant to force all Auth0 Dashboard users to have MFA active.
Description:
I would like to enforce that MFA is active for all users of the Auth0 Dashboard that can see and modify how our Auth0 Tenant is configured. Any users that do not have MFA active should be unable to access the dashboard until their MFA is setup.
It is undesirable to need to regularly check the Auth0 Dashboard manually to ensure all dashboard users currently have MFA enabled and to chase any users without MFA to enable it.
This request was originally raised a support ticket, but I was informed it was currently a product feature request with no ETA and that raising it here was the preferred way to upvote this product request priority. See also Enforce MFA for Dashboard Admins
Use-case:
Auth0 is a primary authentication mechanism for a service provided to our customers that expect PCI and SOC2 compliance so we want to ensure that the ability to modify how auth is performed is subject to strong security checks.
Hey there @jasonsection - Welcome to the community and thanks for the feedback! We do monitor these closely for community engagement, so hopefully this gets some votes from other members
I’m somewhat surprised this isn’t already an option for a security/identity focussed platform such as Auth0, especially given we’re able to enforce MFA for customers.
Another option is setting up SSO for business users and enforcing strong authentication requirements in your internal IdP, but as invites can be accepted by recipients using any of the available login methods that doesn’t guarantee that tenant members will always be covered by those requirements. The only way I can see to guard against this is regularly auditing the lists of tenant members and their IdP - which is time consuming and will end up getting overlooked.
The thread linked above included a statement suggesting this was in the works in 2017, are there any updates available?
I also find it very bizarre that you can force it for API/Application users but not for admin/dashboard users. Maybe because dashboard users should be very small and you can manually manage it easier. IDK, it’s really something I don’t want to have to think about, and it can be very devastating if one person has a bad security moment.
Where do we stand on this? Is there a way to enforce it for tenant admins? I see there is a MFA section in “Security” => “Multi-Factor Auth” but I believe this is for end-customers of our applications and not only admins.
Json.littera said it best, so I’ll just copy his response:
+1 for this request. We absolutely want to enforce MFA for tenant logins, and doing it through manual audit can lead to potential issues.
Thank you everyone for advocating for that and sharing all the additional context. We review those feedback cards on a monthly basis and once we have any updates on that front we will get back to you!
Any updates here? I just went to add some senior developers to our dashboard and was really surprised to find that we couldn’t enforce MFA to be enabled. This makes me a bit nervous as we’ll be going through SOC2 soon, and my understanding is MFA is a pretty standard requirement for any integrated system that deals with user data.
I see threads regarding this feature since 2017 saying it is an in progress feature, almost 7 years later and no feature yet, why you okta/auth0 think this feature is not a must?
there is a lack of dashboard user permissions, we can live with that but MFA enforcement is a MUST!
