Default 2FA email for new users invited to organizations with 2FA-policy enabled

[leclou69]

Hi there,
following situation:
Created new organization, enabled 2FA policy, invited new user.
User gets invitation via email, creates new account, but is not able to confirm the invitation to the organization, as he hasn’t got the possibility to activate 2FA-authentication yet.
So he has to activate 2FA-authentication and follow the invitation link once again to accept it.
The wiki at Home · dani-garcia/vaultwarden Wiki · GitHub refers to bitwarden’s help Enterprise Policies | Bitwarden Help Center 1 where they say:
“New users will be automatically setup with email-based two-step login, but can change this at any time”
But this doesn’t happen.
Would be very cool if you could solve it as it is described in the bitwarden help, as the actual way is very irritating for new invited users.
Thanks in advance, Markus

[jobritz]

I think this function has been implemented. Check out the Enviroment Variables EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE and EMAIL_2FA_AUTO_FALLBACK, it works for me by setting EMAIL_2FA_AUTO_FALLBACK to true

[stefan0xC]

It has been implemented in #4317 (which at the moment is only available in testing not v1.30.5) and by default Vaultwarden will mirror Bitwarden (i.e. if you are using an invite link to an organization that has the 2FA policy enabled, it will set up mail as second factor provided that you have not disabled mail as 2fa provider, i.e. _ENABLE_EMAIL_2FA=false), so you should not have to configure those options.

• EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE would skip the policy check on registration via the invite link
• EMAIL_2FA_AUTO_FALLBACK also automatically sets up email as second factor when accepting an invite or confirming, restoring or demoting the role of an existing user, if 2FA is required for the given organization.