[5.x]: Frontend Login Blocked when using TOTP about cms HOT 3 OPEN

Hi, thanks for reaching out! At the moment MFA is only implemented for the Control Panel requests, so it should only be enabled for the users who have access to the Control Panel.
That being said, we are working on a front-end solution!

from cms.

Hi, I've come across this for a site I'm working on.

Adding this Event hook removes the issue with the template load

Event::on(Auth::class, Auth::EVENT_REGISTER_METHODS, function (RegisterComponentTypesEvent $event) {
    if(!Craft::$app->getRequest()->getIsCpRequest()) {
        // remove all types for FE requests
        $event->types = [];
    }
});

However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.

we are working on a front-end solution!

Are you able to share what your approach is going to be or a roadmap for front end MFA?

I don't need front end MFA (yet) but would be good to still have the security on the back end if a user logs in.

Many thanks

from cms.

🚨 This part is worth stressing, for anyone else coming across the thread!

However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.

Whether or not Craft treats a request as a “site request” is unrelated to the authenticating user’s permissions! A user with access to the control panel could very well sign in via a front-end login form and bypass auth checks.

The “correct” way to avoid MFA for front-end users I believe would be to place these users in groups that don't overlap with those that grant CP access or require MFA—either that, or check the authenticating user’s permissions prior to removing MFA methods.

from cms.