davift opened a new issue, #13334: URL: https://github.com/apache/cloudstack/issues/13334
### The required feature described as a wish **Description:** the global configuration setting `enable.user.2fa` defaults to False, meaning users who wish to use two-factor authentication (2FA) cannot do so without a Root Admin first enabling the setting and restarting the management server(s). **Affected Components:** Management UI **Impact:** Any compromised or weak user credential is sufficient to gain full access to a user's CloudStack account. This makes the platform susceptible to credential-stuffing, phishing, and brute-force attacks with no second factor to impede unauthorized access. **Steps to Reproduce:** - Log in to the CloudStack Management UI as a Root Admin. - Navigate to Configuration > Global Settings. - Search for `enable.user.2fa` and observe that its value is set to False. - Attempt to enable 2FA on your own user account, and confirm that it is not permitted. **Recommended Remediation:** Change the default value of `enable.user.2fa` to True so that users are always permitted to enroll in 2FA without requiring Root Admin intervention. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
