starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #981] Organization Two-step Login #697

New issue
Closed
opened 2026-03-03 02:02:18 +03:00 by kerem · 6 comments
kerem commented 2026-03-03 02:02:18 +03:00
Owner
Copy link

Originally created by @bloodypiker on GitHub (May 4, 2020).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/981

Subject of the issue

Orinizational requirement of two factor login on their personal account does not work.

Your environment

  • Bitwarden_rs version: 1.14.2-0de52c6c
  • Install method: Docker image
  • Clients used: Web Vault, Windows app, iOS app
  • Reverse proxy and version: Nginx 1.14.0 (Ubuntu)

Steps to reproduce

Created a new test organization and enabled two-step login within the policies of the organization. I created a test new user without two-factor and added them to the organization.

Expected behavior

Users without two-step logins should not be able to access the stored items within the organization.
"Organization members who do not have two-step login enabled for their personal account will be removed from the organization and will receive an email notifying them about the change."

Actual behavior

Users of all access levels (owner, admin, manager, user) can access all items stored within the org. without satisfying the org. two-factor policy.
If the user had two-factor but removed it, email is not sent nor do they lose access to the org.

Relevant logs

Originally created by @bloodypiker on GitHub (May 4, 2020). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/981 <!-- Please fill out the following template to make solving your problem easier and faster for us. This is only a guideline. If you think that parts are unneccessary for your issue, feel free to remove them. Remember to hide/obfuscate personal and confidential information, such as names, global IP/DNS adresses and especially passwords, if neccessary. --> ### Subject of the issue <!-- Describe your issue here.--> Orinizational requirement of two factor login on their personal account does not work. ### Your environment <!-- The version number, obtained from the logs or the admin page --> * Bitwarden_rs version: 1.14.2-0de52c6c <!-- How the server was installed: Docker image / package / built from source --> * Install method: Docker image * Clients used: <!-- if applicable -->Web Vault, Windows app, iOS app * Reverse proxy and version: <!-- if applicable -->Nginx 1.14.0 (Ubuntu) ### Steps to reproduce <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) and how did you start bitwarden_rs? --> Created a new test organization and enabled two-step login within the policies of the organization. I created a test new user without two-factor and added them to the organization. ### Expected behavior <!-- Tell us what should happen --> Users without two-step logins should not be able to access the stored items within the organization. "Organization members who do not have two-step login enabled for their personal account will be removed from the organization and will receive an email notifying them about the change." ### Actual behavior <!-- Tell us what happens instead --> Users of all access levels (owner, admin, manager, user) can access all items stored within the org. without satisfying the org. two-factor policy. If the user had two-factor but removed it, email is not sent nor do they lose access to the org. ### Relevant logs <!-- Share some logfiles, screenshots or output of relevant programs with us. -->
kerem 2026-03-03 02:02:18 +03:00
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (May 7, 2020):

Yes at the moment the policies are only handled client side, but we should handle the 2FA one server side too.

Is the procedure you mention what the official server does? The letting the user remove the second factor, sending them and email and removing their access, I mean.

My initial idea was to simply not let them remove the 2FA if they are part of such an organization, but if upstream does it that way maybe we should follow their steps.

<!-- gh-comment-id:625128333 --> @dani-garcia commented on GitHub (May 7, 2020): Yes at the moment the policies are only handled client side, but we should handle the 2FA one server side too. Is the procedure you mention what the official server does? The letting the user remove the second factor, sending them and email and removing their access, I mean. My initial idea was to simply not let them remove the 2FA if they are part of such an organization, but if upstream does it that way maybe we should follow their steps.
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@bloodypiker commented on GitHub (May 8, 2020):

Unfortunately, I have not interfaced with the official server offer.

From the official help documents:

  • The administrator will receive a warning that Organization members, in confirmed status, who don’t have two-step for their account will be removed from the organization and will receive an email notifying them about the change.
  • If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.
  • Members who lose access to an organization will receive an email informing them of such.
  • Once the user enables two-step login on their account they can then be re-join to the organization through a new invite.
  • Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.
  • If a newly invited member currently has a Bitwarden account using the invited email address, they will be notified and must enable two-step login before accepting their invitation.
  • If a newly invited member does not have an account, they will default to using email-based two-step login but will be able to change this configuration at any time.
  • If a member of the organization later disables two-step login on their account, they will be removed from the organization.
<!-- gh-comment-id:625809036 --> @bloodypiker commented on GitHub (May 8, 2020): Unfortunately, I have not interfaced with the official server offer. From the official help documents: <ul> <li>The administrator will receive a warning that Organization members, in confirmed status, who don’t have two-step for their account will be removed from the organization and will receive an email notifying them about the change.</li> <li>If the administrator proceeds to enable the two-step login policy Confirmed members of the organization who do not have two-step login enabled will lose access to the organization.</li> <li>Members who lose access to an organization will receive an email informing them of such.</li> <li>Once the user enables two-step login on their account they can then be re-join to the organization through a new invite.</li> <li>Newly invited members will not be able to accept their invitation to the organization until they enabled two-step login on their user account.</li> <li>If a newly invited member currently has a Bitwarden account using the invited email address, they will be notified and must enable two-step login before accepting their invitation.</li> <li>If a newly invited member does not have an account, they will default to using email-based two-step login but will be able to change this configuration at any time.</li> <li>If a member of the organization later disables two-step login on their account, they will be removed from the organization.</li> </ul>
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@fourstepper commented on GitHub (Dec 8, 2020):

If I understand correctly, right now there is no way to enforce the use of in orgs 2FA from the bitwarden_rs server?

<!-- gh-comment-id:740603140 --> @fourstepper commented on GitHub (Dec 8, 2020): If I understand correctly, right now there is no way to enforce the use of in orgs 2FA from the bitwarden_rs server?
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@omueller commented on GitHub (Jan 7, 2021):

Hi @fourstepper, have you found new information about that issue in the mean time ? I have the same problem, and at the moment, when I create a new company user, I need to:

  1. invite the user
  2. wait until the account is ready
  3. make sure 2FA has been activated (under /admin/users/overview)
  4. make sure he/she clicks again on the invitation link to be added to the organisation
  5. and then I accept the new user in the organisation.
  6. (check from time to time, that everybody still has 2FA active)

It would be great if there was a way to skip step 3 (and also 4, but it seems there is no other way around?).

Of course these are small issues, thanks again @dani-garcia for your great work!
Best regards, Olivier

<!-- gh-comment-id:756162578 --> @omueller commented on GitHub (Jan 7, 2021): Hi @fourstepper, have you found new information about that issue in the mean time ? I have the same problem, and at the moment, when I create a new company user, I need to: 1. invite the user 2. wait until the account is ready 3. make sure 2FA has been activated (under /admin/users/overview) 4. make sure he/she clicks again on the invitation link to be added to the organisation 5. and then I accept the new user in the organisation. 6. (check from time to time, that everybody still has 2FA active) It would be great if there was a way to skip step 3 (and also 4, but it seems there is no other way around?). Of course these are small issues, thanks again @dani-garcia for your great work! Best regards, Olivier
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@fourstepper commented on GitHub (Jan 7, 2021):

Hi Olivier,

There was no change for me in this regard - this still seems like it's unavailable.

<!-- gh-comment-id:756349900 --> @fourstepper commented on GitHub (Jan 7, 2021): Hi Olivier, There was no change for me in this regard - this still seems like it's unavailable.
kerem commented 2026-03-03 02:02:20 +03:00
Author
Owner
Copy link

@olivierIllogika commented on GitHub (Apr 12, 2021):

Hi,
Just created a pull request for this. It's my first time coding rust, but it seems to get the job done.

Please test and give feedback.
Thanks!

<!-- gh-comment-id:817446274 --> @olivierIllogika commented on GitHub (Apr 12, 2021): Hi, Just created a pull request for this. It's my first time coding rust, but it seems to get the job done. Please test and give feedback. Thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#697
No description provided.