Enable 2FA only for the admin role?

Hello. Quick question: Is it possible to enable 2FA only for a specific role, i.e. the admin role?

It is not clear from the documentation whether user-dependent login methods are possible. Most likely because it is not possible.

Out of curiosity: What sense does 2FA make if there are additional vulnerable options through the standard log-in? The weakest link in the chain cannot guarantee the protection of 2FA.

How is Kirby supposed to know who is logging in BEFORE logging in to provide the desired authentication method?

+++ EDIT +++
I have to correct myself. As I understand it in the instructions, 2FA can be deactivated/activated for each account:

You can use the ready config option to set the 2fa auth method dependend on user role.

    'ready' => function(Kirby $kirby) {
	    $user = $kirby->user();
		return [
			'auth' => [
				'methods' => [
					'password' => ['2fa' => ($user?->role()?->name() ?? null) === 'admin'],
				]
			]
		];
    }

Note that this enables the feature. 2FA itself has to be enabled by the users themselves.

2 Likes

Some more context:

For a client I have a site with a lot of users. The website is public, but with a section that requires login. Like a really simple intranet where the users can read company information.

Some users are admins and have access to the panel to edit content.

But the majority of the users does not have access to the contents in the panel. The only purpose for these users are to be able to log into a restricted area in the frontend where they can read internal company information.

Right now all users are added manually and assigned the correct role (admin or user). They login using email and password.

We need to secure this site, so that the admins gets 2FA. At minimum Auth-code via email, but we will probably require Time-based one-time password using an app.

The problem is, for the vast majority of the regular users, 2FA is not necessary and will complicate things. I.e. they don’t always have access to their email account or their phone. Sometimes they use a shared computer on the factory floor.

They don’t have permission to access the panel and cannot edit the contents. They only have access to read posts in the intranet. So it is not necessary to enforce 2FA for these users.

The flow would be like this:

– An admin user types the email and password. The login page request a 2FA code to be entered. After entering the 2FA code the admin user is logged into the Panel.
– A regular user types the email and password. The user is logged in without a 2FA code.

Is this possible to do?

Oh thanks @texnixe! This was exactly what I was looking for. I will try this.

I don’t think there is a way to actually enforce 2FA, unless you block panel access (except to the account) for admin users who do not have 2FA enabled.

@ola Thank you for the far-reaching explanation. This concept makes sense for the differentiated login.

@texnixe Thanks for the code suggestion. Since I will also use 2FA in future projects (and my own website), I can remember your solution.