MFA/2FA to be controlled by the admin users - not end users
In terms of MFA/2FA requirements, these are normally designed to be enabled at the admin level to be applied to all users of any platform. The current released version of 2FA leaves this up to the end user profile settings/preferences to elect whether to enable this feature or not.
We'd like to see this used/available based on standard principles on online security requirements. We do not allow end users to decide on password minimums (that is set by admin by Corevist in that case) just like we would not envision we would enable end users to decide on whether they should receive an authentication email.
Previous idea: https://feedback.corevist.com/forums/943903-corevist-commerce/suggestions/45247780-multi-factor-authentication-mfa#{toggle_previous_statuses} was declined but little information was listed in that idea. Now that there is a formally released version of this, it misses the mark on what this type of option was intended for.
Stephanie Bertin
shared this idea