Allow each admin user to choose which 2fa providers to setup

[willjones9]

Preconditions

• Magento 2.4.0
• PHP 7.3 and 7.4

Steps to reproduce

Enable (and configure) the following 2FA providers:

• Duo
• Google
• U2F.

Expected result

A user can choose between one of the three 2FA methods.

Actual result

Magento expects all three 2FA providers to be configured for every user account and it is not possible to pick and choose which provider is used on a per user basis.

• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.

Configuring multiple 2FA providers causes the system to see them all as forced providers, meaning that they have to be configured for each and every user in the system as opposed to allowing a user to choose between one of the enabled providers.

This is a problem, considering that merchants may wish to configure the second factor authentication method on a user or role basis. For example, store administrators may wish to use Duo, whereas employees dealing with order fulfillment (who perhaps don't need to access the admin area out of hours and not have mobile phones on them during their day) may need to use a U2F such as Yubikey or similar.

The current implementation does not allow for this use case, which seems like it should be a very obvious option that should be included.

[ihor-sviziev]

2FA module was moved to https://github.com/magento/security-package/.
@sdzhepa @naydav could you move this issue into this repo?

[sdzhepa]

Thank you @ihor-sviziev
cc: @willjones-stratagem
Transferred to security-package repo

[m2-assistant]

Hi @willjones-stratagem. Thank you for your report.
To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[nathanjosiah]

@willjones-stratagem Thank you for the report! This is by design. Once a user has configured all enabled providers they are able to choose which one they want to authenticate with.

[nathanjosiah]

To expand on my explanation, your users can configure the one they have access to at the time, then later when they have access to another they can configure the second one. You can skip configuration of a provider as long as you have at least one already configured. Once they have both configured they can simply choose which one they want to use at a given time.