Opal 2FA questions

Support
1

Hi @yannick et al.,

I have two questions regarding the 2FA on Opal:

  1. When the 2FA is enforced, the user can still disable it themselves in the Opal UI (after setting it up). I am not sure if that is possible so that users can reset their 2FA in case of a new phone etc. but as an administrator that seemed counterintuitive. In the R environment, the user is still prompted to enter the 6 digits code, so the enforcement works here. I was just wondering whether the option to disable should be greyed out for users in the UI or replaced with a “replace/refresh 2FA” button when this is enforced by the admin.

  2. I haven’t tested it, but if multiple organisations require 2FA, how will that work for the user in the R environment? Will they have to enter codes sequentially, depending on what login Name is currently shown?

Thanks, Florian

2

Hi Florian,

  1. When 2FA is enforced, the user will be always requested a one-time code at login (either from a new or an existing secret key). Then the “disable 2FA” option (probably not well named) will have limited effect (until next login).
  2. In the R environment, the user is requested to enter the code in the console prompt. It works in DataSHIELD as well since logins are done sequentially:

image
image785×181 11.1 KB

This being said, for programmatic usage (then DataSHIELD) it is strongly recommended to use Personal Access Tokens, which are more volatile (expiration), scoped (features and projects) and revokable (to minimize impact of leaks in source code).

Cheers
Yannick

3

Hi Yannick,

thanks for the clarification!

Best,

Florian