Hello
Any idea how to enable two factor authentication with OTP app for Administrator ?
I enabled 2 factor authentication in role for ALL , but still administrator can login without two factor authentication .
Erpnext version 13.8
Has this ever been solved? Weāre facing the same problem: 2FA enabled for role āALLā but administrator still being the only account that is not forced to show second factor. What else is necessary to enforce 2FA?
1 Like
as i understand 2 factor authentication in erpnext not works for administrator , i tried to enable 2FA for administrator but problem is not effected for administrator and still administrator can login without 2 factor authentication in erpnext , i test it with erpnext version 13 , i think it was v13.8.0
Thanks for your feedback! Iāve tried it with up to the latest revision of ERPnext and all with the same (negative) result so we can conclude that either both of us havenāt understood the concept or it simply does not work.
But can that be? The most powerful account being the only one you canāt secure through multi factor authentication? Hard to believe, isnāt it?
1 Like
Does anyone know if this is a known bug or would it make sense to register it as such?
1 Like
Hi
Is there any resolution / answer to this ? I am also wanting to implement 2FA and I was wondering about the implications : i.e. The administrator lost his/her phone and cannot log in. And a ānormalā
system-user cannot access the āAdministratorā account to rest passwords / 2FA so that the
Administrator account can be used again.
Then I came across this postingā¦
So I would also like to know : was this done intentionally or is this a bug?
Unlike a normal user, Administrator account is controlled server side and if you do lose the administrator password, thereās a command on the server side to reset administrator password.
As for 2FA for administrator, I think this is what is causing the limitation as unlike normal user, administrator role is not controlled from the frontend.
Thank you @flexy2ky for taking the time
What you are saying does make sense, but it is as @smw said ā¦ can this be ??? that the most
powerfull account in ERPNext can be accessed without 2FA ??
Also, according to the documentation, (as below ) Administrator is included in 2FAā¦
https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/articles/setup-two-factor-authentication
1 Like
Hi
After your commenr @flexy2ky, about Administrator being handled on the server-side, I thought of something ā¦
I had trouble executing the command ā¦
bench --site [sitename] set-config enable_two_factor_auth true
( as the 2FA documents specify )
It kept on telling me ā¦
Please specify --site sitename
I then thought to actually check my site_config,json file
and the file was indeed updated, even though it was complaining about my command.
I find in the site_config.json fileā¦
āenable_two_factor_authā: true,
The fact that the error āPlease specify --site sitenameā keeps on coming up even though
it was executed, is a worry, but lets leave that aside for now ā¦
It means that , I have doen all as specified but the docsā¦
https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/articles/setup-two-factor-authentication
I have also played arouind with various combinations of enabling.disabling 2FA
in the āAllā and āAdministratorā roles, but 2FA for the Administrator does not work.
1 Like
Dear all,
ā¦ to revive this old thread: has this ever been addressed? The docs still say that Administrator is affected by the 2FA settings but I still cannot get this activated in my 14.27.x installation. So is there a trick or at least a good explanation why this is the case?
BR
SMW
This is still the case. Digged into the code and found out that twofactor.py of frappe has a hard-coded test in a method (two_factor_is_enabled_for_) on the āAdministratorā user and returns false if that is the case. See: https://github.com/frappe/frappe/blob/develop/frappe/twofactor.py#L113
Patching that file and removing that checks fixes this issue and when logging in with āAdministratorā, a 2fa-token is requested. However, we should raise this issue and fix this properly. See: 2FA should not be disabled for Administrator in twofactor.py Ā· Issue #24433 Ā· frappe/frappe Ā· GitHub