I am able to activate 2FA for my panel user, but since there are other users, trying to login with their credentials afterwards also requires a code, even though they didn’t set anything up (I only activated this for my own panel user)
Is there a way this can be fixed, because it seems to me it’s a huge bug - imagine an admin user activates 2FA in the config, and now me, as an editor, try to login to the panel, and I am required to provide 6 digit code which I never activated.
It is indeed a bit unfortunate that you can only enable TOTP for individual users, if you enable 2FA for all. Those without TOTP enabled in their account will then get a code via email.
Ideally, this would be decoupled, but this is currently not the case.
But I am not sure I understand this answer - are you saying that this is default behaviour (if enabling 2FA in config, even users who didn’t activate anything will have to provide 6 digit code during their next login?)
So if every panel user wants to activate their own 2FA in their own time, this is impossible, because after the first one activates theirs, the other users will be prompted for 6 digit code (which they have no idea where to get from, because it is not the same one that appears for the user that activated it)
Just to be clear, I am not able to individually set up TOTP as you said, because as soon as I activate it for 1 user, it is automatically activated for other users (ideally, I want to individually activate it for each user, which makes sense, you want to handle each user by themselves and be able to activate 2FA or not for themselves)
There are 2 built-in 2FA types: email code and TOTP.
If you enable 2FA in the config like you did, 2FA via email will be enabled for everyone.
Additionally, individual users have the option to set up TOTP in their accounts instead of the email based code.
But it is not possible to enable TOTP for users (so that they can choose to set it up for themselves) WITHOUT also enabling the email based 2FA code for everyone.
Having said that, such a setup is not unusual. In our e-commerce solution (totally unrelated to Kirby), we also use email based 2FA for everyone by default, then users can choose to enable other forms of 2FA for themselves (TOTP, hardware-based 2FA).
Thanks for your reply, I didn’t realise that the first code is the email one for other users, but when logged in, they can then setup their authenticator app flow. This works fine, thank you for your answer!