Disallow non-administrator users enable/disable two-factor email authentication

[ivaguti]

Hi guys, I would like to ask if it is possible to block non-administrator users from disabling two-factor email authentication .
The idea is that after the first boot, users enable authentication, but once this is done, they can no longer disable it again.
I would need the only user who could disable it to be a user with administrator permissions.
Does anyone know if this is possible?

[nursoda]

I like this feature idea. It complements the (open) feature request for admins to be able to enforce this app on users (#35).

Thinking about it, I'm unsure if this should be implemented in a single 2FA-app like twofactor_email or if it isn't rather a feature that should apply for all 2FA-apps. Also, it needs to be specified whether users should be allowed to disable this/all 2FA apps if they enabled them themselves.

I rather vote to implement it similarly to how apporder does it: In admin settings, there's a switch that enforces the admin's 2FA selection (enable/disable state for 2FA) for all user. This would rather be a big change though.

From a security perspective, it is enough to be able to enforce that ONE 2FA is enabled at least. This already is implemented. So the question is what exactly is the benefit of enforcing twofactor_email?

Unless these questions are discussed here and with the server folks, I am not going to implement this feature idea. However, PRs are always welcome :)

[robinhoodhimself]

1. You can put the user in the group for wich two factor is forced.
2. As an admin you can force two factor via email trough SQL query.

If the user disable two factor he won't be able to login and has to contact the admin.