Invite new user to organization with 2fa policy enabled

Hi there,
following situation:
Created new organization, enabled 2FA policy, invited new user.
User gets invitation via email, creates new account, but is not able to confirm the invitation to the organization, as he hasn’t got the possibility to activate 2FA-authentication.
So he has to activate 2FA-authentication and follow the invitation link once again to accept it.
The wiki at Home · dani-garcia/vaultwarden Wiki · GitHub refers to bitwarden’s help Enterprise Policies | Bitwarden Help Center where they say:
“New users will be automatically setup with email-based two-step login, but can change this at any time”
But this doesn’t happen.
Have I missed any configuration or is it more a feature request?
Here’s my config

### Your environment (Generated via diagnostics page)
* Vaultwarden version: v1.30.1
* Web-vault version: v2023.10.0
* OS/Arch: linux/x86_64
* Running within Docker: true (Base: Debian)
* Environment settings overridden: true
* Uses a reverse proxy: true
* IP Header check: false (X-Forwarded-For)
* Internet access: true
* Internet access via a proxy: false
* DNS Check: true
* Browser/Server Time Check: true
* Server/NTP Time Check: true
* Domain Configuration Check: true
* HTTPS Check: true
* Database type: MySQL
* Database version: 10.11.6-MariaDB-1:10.11.6+maria~ubu2204
* Clients used: 
* Reverse proxy and version: 
* Other relevant information: 

### Config (Generated via diagnostics page)
<details><summary>Show Running Config</summary>


  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "*****://***********************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://********************",
  "domain_origin": "*****://********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden Edatasystems",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/vaultwarden.log",
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "***************,******************,**************,*********",
  "signups_verify": true,
  "signups_verify_resend_limit": 5,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "PasswortDB edatasystems",
  "smtp_host": "********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null

Thanks in advance

I think this behaviour is not (yet) in Vaultwarden.
So that might be something we should add i think.

Hi there,
that would be great as the actual way is a little irritating for invited users.
How do we proceed?
Shall I open a feature request or is it already on its way?
Sincerely, Markus

You could create a discussion in the idea sector regarding this.
It isn’t on is way right now, there are a lot of other items still open or to address.

Done: Default 2FA email for new users invited to organizations with 2FA-policy enabled · dani-garcia/vaultwarden · Discussion #4157 · GitHub

I think it’s pretty interesting and something that others would definitely love to see.

OK, then go and vote for it :wink: : Default 2FA email for new users invited to organizations with 2FA-policy enabled · dani-garcia/vaultwarden · Discussion #4157 · GitHub

I’ve just voted for it! Hopefully, other users will also support your idea!

1 Like