I only point out, without controversy, that the security of the login is left to the personal responsibility of the users.
This is correct. That's the whole point of two step verification.
LoginGuard provides additional TFA tools, but nothing more.
Yeah, well, I guess we
only give you the most advanced second factor authentication framework for Joomla and nothing more as in no, we don't push it down anyone's throat because that would currently defeat the purpose of improving security through LoginGuard. We write software which actually improves the security of your site, not something to provide a laborious charade and a false sense of security - we're not modeling our software off airport "security". If we find a way to force users to enable 2SV without without compromising their security, sure, we will.
f it is not possible to have a list of who is using TFA in the users administration panel or somewhere else, it will mean that we will open the profile of the individual user, one at a time.
Correct. The pages which list records are plain HTML/PHP templates, driven by data fetched by a non-overridable PHP class. Without template overrides you can't modify the former. Without
hacking core you can't inject more data in the latter. This is what prevents us from doing it: hacking core defeats the purpose of security.
On the contrary, the pages where you edit a user's profile are XML forms and you
can inject additional fieldsets i.e. tabs on the page. We use that to inject the TFA view using an HMVC implementation which nobody has attempted before in Joomla. It wasn't a simple task but we made it look like it thanks to over a decade of experience doing difficult things. Impossible takes a while, difficult we do right away.
The only alternative I see is providing a list of users and their 2SV status in LoginGuard itself. I am not sure how I feel about this. It is something that in all seriousness requires thinking about
hard. How does that impact the user experience of administrators? Does that leave us with any possible security issues e.g. a Super User being able to access this page during the captive login? Does it diffuse the security setup of your site, requiring double configuration for limiting access to personal information (which may have GDPR implications)?
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!