Enable 2FA by default #1213
Enable 2FA by default #1213
Conversation
|
We should just need Automattic/jetpack#12029 to make this all work. |
|
Instead of the previous Jetpack PR, we need WordPress/two-factor#276 / #1214 |
|
I'm thinking we get this deployed with Then we announce via the lobby that you can filter that now to force 2FA for any users you want and starting some time in the future (maybe 1 month from now?) we will default it for all users that can edit posts. |
|
We'll want to test this out with the following scenarios:
|
The only caps a restricted user needs are `read` and `edit_user` (only for theirself).
Co-Authored-By: joshbetz <[email protected]>
joshbetz
force-pushed
the
update/enforce-2fa
branch
from
a831d3b to
8bfe566
Compare
If we call current_user_can inside map_map_cap, we create a callback loop. By calling it outside, we avoid that issue.
Before this date, we just output an admin notice to users that will need to enable 2FA. The logic to display the date got a little complex, but ensuring the notice is in their local timezone is worth it. After the date specified, the admin notice switches to say 2FA is required and only the most basic functions are available. This is a date that's a month from now in the middle-ish of the day in the middle of the week (so plenty of support will be around in case there are questions).
|
In 1f8dc49 we time gate forcing for everyone with |
|
Whatever date we decide, we should set up a couple Slack reminders :) |
This allows clients to override the time gate and force two factor at any time. Previously two factor could only be force enabled after the date specified.
If the timezone string is not set, use UTC as a backup.
|
Tested variations sites that are manually loading Also, sites that load another copy of I didn't experience any issues. The sites I tested on a sandbox transparently switched to our version of |
|
Also tested sites with jetpack-force-2fa enabled, the require two-step setting in Jetpack, and both at the same time. |
|
@mjangda I think we should be all set here as long as we're OK with May 23 @ 1800 UTC for forcing 2FA for everyone. |
``` Notice: wp_register_script was called incorrectly. Scripts and styles should not be registered or enqueued until the wp_enqueue_scripts, admin_enqueue_scripts, or login_enqueue_scripts hooks. ```
https://codex.wordpress.org/Roles_and_Capabilities#User_Levels Co-Authored-By: joshbetz <[email protected]>
Make the message more prominent, consistent, and add more context.
|
Only blocker now is being able to link directly to the "Two-Factor Options". Everything else is good to go. |
|
To be deployed on Tuesday. |
|
r138198-deploy |
joshbetz
added
[Status] Deployed to production
and removed
[Status] Ready to Deploy
labels
Enables
two-factorby default and requires it for anyone withedit_postscapabilities.Deploy Notes
We need to deploy a fix to two-factor that lets it work with Jetpack SSO: WordPress/two-factor#276 / #1214
Testing