Allow Admins to force 2FA on their users
Dev: https://dev.gitlab.org/gitlab/gitlabhq/issues/2545
Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/5968
The company would like to be able to force some of its users into activating 2FA
Job
I think we should first do the rake task that disables 2FA. This makes sense, but I don't know about 'some of his users', how would you do that?
Patricio
@job he mentioned wanting to force 2FA for users that have admin rights. He could, as admin, go into their profiles and activate a check box that says Require 2FA to be active, then when that user tries to login the next time, he gets a message saying that he needs to activate 2FA and cannot do anything until it has been activated. What do you think?
Dmitriy
@job does this feature makes sense per-user? I hardly imagine admin going through hundred of users and clicking Force 2FA. The point is: you either require it from all employees or not. In first case you need to do 1 click to force everyone enable 2FA. IN second you just dont care. Hunting people without 2FA feels wasteful
Job
@dzaporozhets I agree. So let's propose that @patricio? Force all or nothing. Makes everything much easier. Again, we should have the rake task done first, because people are going to mess things up and there should be a (painful) escape. This feature should also work nicely with the rake task: If you force everyone on 2FA, then disable 1 person, that should get enabled again (somehow).
Patricio
@job I'll propose to make it "all or nothing". Maybe we can also add something that only forces users that are admins to have 2FA. It wouldn't be per user, but it also will not force normal users to have 2FA. @dzaporozhets what do you think about this approach?
Dmitriy
@patricio so you propose select with 3 options: Force 2FA: none admin only everyone I am ok with that
cc @JobV, @dzaporozhets, @patricio