Email 2FA; can I enforce users to use a different email address than hint email?

maxburn · June 28, 2022, 1:42pm

Looking at the weakness of the password hint contents and because there is no way to turn that feature off is there some way I can force users to use a different email address than their account email for the Email 2FA challenge?

Idea here is all employees have a company phone and I can send that Email 2FA challenge to the SMS email gateway to turn it into a text. Or send it to our service manager and have users go through him.

Or at a minimum can I audit this and see their Email 2FA address and enforce this myself?

BlackDex · September 21, 2022, 5:53am

You can disable password hint.

github.com

dani-garcia/vaultwarden/blob/main/.env.template#L273..L279


      
          ## resulting in an email notification. An incomplete 2FA login is one where the correct
          ## master password was provided but the required 2FA step was not completed, which
          ## potentially indicates a master password compromise. Set to 0 to disable this check.
          ## This setting applies globally to all users.
          # INCOMPLETE_2FA_TIME_LIMIT=3
          
          
## Controls the PBBKDF password iterations to apply on the server
          ## The change only applies when the password is changed
          # PASSWORD_ITERATIONS=100000
          
          
## Controls whether users can set password hints. This setting applies globally to all users.
          # PASSWORD_HINTS_ALLOWED=true
          
          
## Controls whether a password hint should be shown directly in the web page if
          ## SMTP service is not configured. Not recommended for publicly-accessible instances
          ## as this provides unauthenticated access to potentially sensitive data.
          # SHOW_PASSWORD_HINT=false
          
          
## Domain settings
          ## The domain must match the address from where you access the server
          ## It's recommended to configure this value, otherwise certain functionality might not work,

There currently isn’t a way to enforce this. Only way manually would be by accessing the database.

Topic		Replies	Views
Manually verify email address, working out SMTP issue Help	1	565	September 27, 2020
Send a mail-notification when logging into the admin-panel Feature Requests	3	949	September 11, 2022
Lost master password, but Help	2	510	May 5, 2021
Login with username instead of email Feature Requests	1	804	November 4, 2020
Email Alerts for planned maintenance Feature Requests	1	269	April 26, 2023

Email 2FA; can I enforce users to use a different email address than hint email?

Related Topics