Ability to enforce two-factor authentication

[minecrafter]

Currently, two-factor authentication is optional. It would be nice if we had a global (site) or per-organization setting to enforce two-factor authentication.

• Global: If you log in and do not have two-factor authentication, you will be forced to enroll when you log in.
• Organization: You can not join an organization until you enable two-factor authentication. Existing members without two-factor authentication will be forced to turn it on (GitHub removes users from the organization).

[bkcsoft]

As for per-organization change, I propose that if you login w/o 2FA enabled you're account will be redirected to /user/settings/two_factor with an option to leave the "offending" organization :)

Obviously the 2FA-page would need an update to list orgs (that require 2FA) to leave if you disable 2FA.

[elvarb]

This feature is very important for overall security.

Best way to implement it would be to have it a part of Authenticators settings, that way you can for example require 2fa for ldap imported users while having it optional for local users.

[yarumair]

Just wondering if this is implemented as i think its pretty nice feature to have within an organization

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[9thWonderAgency]

I am but a simple Gitea user, would like to voice that my organization would also find this a very important feature. Please!

[zeripath]

Ok if we're gonna do this we need to think about what happens if a user tries to login without two factor.

Is it that they get redirected immediately to the enroll 2fa page similar to the must change password screen?

[tomposmiko]

It would already be enough if we could enforce the setting for each user one by one.
Would that be easier to implement?

[MOZGIII]

Ok if we're gonna do this we need to think about what happens if a user tries to login without two factor.

Is it that they get redirected immediately to the enroll 2fa page similar to the must change password screen?

That would be reasonable.
It is also a good idea to allow specifying a time duration since registration until the 2FA requirement starts blocking the access. I.e. you can do some limited things until this 2FA enforcement timeout without 2FA.