Here is the code I wrote that only enforced 2fa for users outside our local networks.
There is some commented out code there that additionally allowed me to specify users in a group so only that group was force to 2fa def _two_factor_required(auth_user): """ check whether we need to enforce MFA on this login We enforce MFA only on logins external to our network. Returns ------- bool - enforce MFA - True means this login requires MFA - False means we will not enforce MFA for this login """ import ipaddress return False # temp use to disable mfa if len(request.args) > 0 and request.args[0] == "login": if auth_user.mfa_override and datetime.datetime.now() <= auth_user.mfa_override: # no mfa required if the user override is set - we added a field in auth_user to allow us to override if a user was having trouble or lost their phone or something return False qlf_networks = [ "9.9.9.9/22", "9.9.9.0/24", "9.9.9.101/24", ] ip_list = [] for range in qlf_networks: ip_list.extend(ipaddress.IPv4Network(unicode(range))) if ipaddress.IPv4Address(unicode(request.client)) in ip_list: # if the client address is in the local address list, then do NOT require MFA so set to False return_value = False # build the MFA Required group members # if return_value: # print(datetime.datetime.now()) # ag = db(db.auth_group.role == "MFA Required (web2py)").select().first() # if not ag: # ag = db.auth_group.insert("MFA Required (web2py)") # for ou in db( # (db.auth_user.active == True) # | ( # (db.auth_user.mfa_override == None) # & (db.auth_user.mfa_override <= datetime.datetime.now()) # ) # ).select(): # db.auth_membership.update_or_insert(user_id=ou.id, group_id=ag) # # # clear out any members that are currently exempt from MFA # if ag: # for exempt_user in db( # (db.auth_user.mfa_override >= datetime.datetime.now()) # & (db.auth_user.active == True) # ).select(): # db( # (db.auth_membership.group_id == ag.id) # & (db.auth_membership.user_id == exempt_user.id) # ).delete() # db.commit() # # print(datetime.datetime.now()) # # # set to False to force web2py to check the two_factor_authentication group # return_value = False That code is in db.py Then.... auth.settings.auth_two_factor_enabled = lambda user: _two_factor_required(user) auth.messages.two_factor_comment = "QLF MFA - you have been sent a code" auth.settings.two_factor_methods = [ lambda user, auth_two_factor: _send_sms(user, auth_two_factor) ] My _send_sms code built and sms and sent it via Twilio or RingCentral I wrote this code, but then we ended up not implementing. The web2py code is going away for us. All the same concepts work in py4web (nudge wink wink) -Jim On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: > Anyone can help me ? > > Em qua., 30 de ago. de 2023 às 10:14, António Ramos <ramst...@gmail.com> > escreveu: > >> in other words, how do i protect the administrator password? it does not >> have a username , just a password. This is scary :) >> >> >> Em ter., 29 de ago. de 2023 às 19:44, António Ramos <ramst...@gmail.com> >> escreveu: >> >>> But that is for everyone, i just want to start with users with admin >>> powers >>> >>> Clemens <clemens....@claret-clover.de> escreveu em ter., 29/08/2023 às >>> 18:25 : >>> >>>> Try enabling 2FA via the following setting, since this is for all users: >>>> *auth.settings.auth_two_factor_enabled = True* >>>> >>>> Regards >>>> Clemens >>>> >>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>> >>>>> i just activated the two step auth with this >>>>> >>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>> >>>>> >>>>> but now how do i include the administrator user ? >>>>> >>>>> regards >>>>> António >>>>> >>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to web2py+un...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com.