Better support for MFA / 2FA enforcement and management

[simonech]

Problem statement

Umbraco supports MFA, but its activation is currently opt-in and user-driven.

As a result:

• MFA cannot be enforced centrally
• users can “forget” (or choose not) to enable MFA and still access the backoffice
• it is not possible to apply MFA requirements selectively (e.g. admins vs editors)

From a security perspective, this makes it difficult to:

• enforce MFA for privileged accounts
• align with common security baselines and audit requirements

Proposed ideas

1. Enforced MFA based on user group

Allow MFA requirements to be defined per user group, for example:

• administrators: MFA required
• editors: MFA optional

This would align well with a group-based security configuration approach.

2. MFA enrollment flow

Possible approaches for enforcing MFA enrollment:

• Prompt users to configure MFA automatically on their first login
• Alternatively, allow a grace period (configurable), after which:
  • MFA must be enabled, or
  • the user account is temporarily disabled

3. Visibility of MFA status

Expose the MFA status in the backoffice:

• show whether MFA is enabled / disabled in the user list
• optionally include this information in user details or audit views

4. Device and recovery management

Improve usability and support scenarios by allowing:

• registration of multiple MFA devices per user
• administrators to reset MFA registration for a user (e.g. lost or replaced phone)

Open discussion

This discussion can be used to:

• validate the overall approach
• discuss UX and implementation trade-offs
• align on what should be core functionality vs package-based extensions

Note

This ticket was discussed within the Umbraco Security & Privacy Advisors group; I’m formalising it here to gather broader feedback.