Enforcing 2FA on Organization is actually not enforcing it for new Users

Hi there,

the System is running in Docker on Ubuntu Server 20.04 and Vaultwarden is Version 1.21.0.

Steps to (hopefully) reproduce:

  1. After creating the first User via the Webinterface (let´s call him the Admin), I created my first Organization.
  2. In the Organization Policies I configured 2 Settings. Enforcing 2FA and enforcing Minimums for the Master Password to Good(3).
  3. After that I invited a regular User to Vaultwarden and after he signed up, I went to the Organization and added him as a Manager.
  4. The User has no 2FA configured for himself yet, but he can access the Organization without any problem, create / modify records etc.

I understand the enforce 2FA setting that the User to access the Organization has to enable 2FA first, but I am either not understanding it correctly or it is not working in my case.

Does someone have any Idea of what might be wrong?

My current Support String:

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.21.0
  • Web-vault version: v2.19.0d
  • Running within Docker: true
  • Uses a reverse proxy: false
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Database type: SQLite
  • Database version: 3.33.0
  • Clients used:
  • Reverse proxy and version:
  • Other relevant information:

Config (Generated via diagnostics page)

  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_ip_header_enabled": true,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_max_conns": 10,
  "database_url": "****/**.*******",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****-****-**",
  "domain_origin": "*****://****-****-**",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "enable_db_wal": true,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "invitation_org_name": "Password Manager",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "org_attachment_limit": null,
  "org_creation_users": "**********@*******.*****",
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_explicit_tls": false,
  "smtp_from": "****-****-**@*******.**",
  "smtp_from_name": "Password Manager",
  "smtp_host": "*******-**.****.**********.*******.***",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_ssl": true,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null

Vaultwarden doesn’t support enforcing MFA on Org’s yet.
There is a PR regarding this, but there are some items there which need some work.

Aye, good to know. Thank you for your reply. Since I can see in the Admin Panel who has MFA enabled and who not, I will use this in the meantime to “support” the users with setting it up :wink:

1 Like

Is this still a problem? I do want to enforce this policy.

hey maxburn, this should be available and working

1 Like

@maxburn It is there since 1.22.2: Changelog

1 Like