The Admin Panel allows to remove 2FA configurations from a user (which is great). Unfortunately the user is not requested to setup 2FA again at the next login if he is part of an organization with 2FA Policy. The user still has access to this organization. So it’s a way to circumvent the 2FA policy, presenting a security flaw.
Vaultwarden should require the user to re-configure 2FA before letting him access an organization with 2FA policy.
I’ll be happily opening a GitHub Issue if that’s the way to go.
I would likely create a GitHub issue based around this, though the
/admin page is more of a backend administrative operation so a bit different from when a user removes their own 2FA.
I’d be curious to see if they still remain in the Organization with the 2FA policy if removed by the user and not within the admin panel.
If changed though I would recommend we stick to how it’s handled upstream in Bitwarden.
Users in the organization who do not have two-step login turned on will be removed from the organization when you activate this policy.
I just verified that. If the user removes the 2FA the user gets removed from the organizations which require 2FA. So that’s fine on that side. Would make sense, if the same happens when the 2FA gets removed by the /admin interface.
I created a Github Issue