Allow enforcement of two factor on external accounts
Problem to solve
Current settings do not permit requiring two factor for only a subset of users - in this case - external users.
Target audience
Security Analyst
Further details
Our 'internal' users already have duo two factor configured for use with LDAP authentication. It would be nice to force two factor for external users without requiring internal users to configure an additional two factor.
Proposal
Any of the following: 1.) allow admins to require two factor when creating external accounts 2.) Checkbox under Admin Area -> Settings -> Sign-in Restrictions : "Require external users to setup 2fa"
What does success look like, and how can we measure that?
External accounts would require google two factor - while internal accounts could just use ldap (with its own separate two factor).