Hi,
currently has the option to enforce the 2FA for users via policy, that’s great. But with this option, the user still can choose any of the supported providers. I think it would be a nice feature that admins can specify waht type ot 2FA is required, and/or the provider can be turned on/of system wide.
With this option admins can enforce the org memebers to use for example the yubikey device come from the org, and prevent the usage of other methods for example software authenticators.
There isn’t an easy way to do this. The client interface doesn’t support selecting this. Since the web-vault is not maintained by us it’s going to be difficult to add something like this.
You could set _enable_duo and _enable_email_2fa to false. That should at least disable those two methods.
But that isn’t then per organization, and will be for all users.
Sure, if these options available, it’s a good starting point. They are exists on current release or your answer is theoretical only?
Those exist currently.
I don’t find such environment variables, where can I set these?
You can enable and disable them on the admin page.
Enforcing a specific type of 2FA method or provider system-wide is indeed a useful feature for organizations that want strict control over their security policies. To achieve this, developers or administrators would need to implement an administrative interface where administrators can define the 2FA policy for the organization. This interface should allow them to specify the type of 2FA method or provider that users are required to use.