Is there any documentation about the 2FA option?
Not yet. Only what’s noted in the Release Notes (v5.5), which is:
-
Implement 2FA for the Treepl SSO service (Use google authenticator)
-
enable 2FA on edit account (partner portal): http://prntscr.com/u6s3zj
-
each time on login to portal or any site
- show QR code and code field on separate page after successful login (if 2FA not set up for the current user)
http://prntscr.com/u6s4y8 - show code field on separate page after successful login (if 2FA is set up for the current user) (without QR code)
- add ability to enable 2FA for the site on site details and show indicator on sites list
- similar checkbox setting as on edit profile
- show if 2FA is enabled for the site
- for site admin users (if 2FA for the site is enabled) each time on login:
- show QR code and code field on separate page after successful login (if 2FA not set up for the current user)
http://prntscr.com/u6s4y8 - show code field on separate page after successful login (if 2FA is set up for the current user) (without QR code)
Further to Adam’s response below, I did some testing with 2FA and I think it needs further refinement.
In the first instance, because you require a QR code to be scanned you are not able to login on a mobile phone.
We have tried both iphone and android and found the most common authenticator apps do not allow photo import, so you can’t scan the QR code on the same phone you are trying to login with.
Obviously, a work around is to login with a computer and scan the code from the screen, but quite often our own in house developers only have access to their phones on the road, as I can imagine a lot of customers.
After being authenticated once, the problem is fixed as it then only needs the authentication code, not the QR.
There is also a spelling mistake on the QR authentication page.
I have passed all of this along to the Treepl team already 
1 Like
@lee.relianceit Good point.
I’m a user of 2FA broadly and frankly I’ve always set it up via scanning a QR code on my screen. The being said I can see the utility in begin able to set it up on the phone. All that would be required is for treepl to display the key below the QR code to allow manual setup.
I think this is especially important because once 2FA is turned on for a site, it is immediately required by all users. I think this is strange. The usual workflow would be for users to enable it on their own accounts and then set it up as part of that process. I could see having the option in the partner portal to require 2FA. That way you could give admin users some warning to enable it, and then require it after a certain date. I think it’s a bit abrupt to just blanket require it for all uses. That’s not what I assume when I see the check box “Enable two-factor authentication (2FA)”
My suggestion is to add a second check box below that allows you to “Require two-factor authentication (2FA)”
And subsequently add the ability for each user to Enable 2FA themselves in the site admin.
Current user flow is non-standard.
1 Like