Can’t configure wp-2fa for subsites

Hello @trutherone

Thank you for using our plugin.

This is the expected plugin behaviour. Users on a multisite network are network users who have permissions / privileges on specific sub sites, and the plugin also treats the network as a network.

So when a user from any sub site needs to configure 2FA, the 2FA setup is done “at network level” and from then on, whenever that user logs in to any site on the network, they are asked for the 2FA code since the 2FA setup is for that user on that network.

Once the user is complete with the 2FA setup they can use the “My Sites” menu from the top menu to navigate back to their website.

Can you confirm that the users in question can successfully configure 2FA or are there any issues?

Looking forward to hearing from you.

Hi,
No there is no problem for the admin user logging in; i just dont understand why as soon as he logs to a subsite to configure 2fa for the first time; WordPress redirects him to the main site. The main site should only be accessible by the network-administrator.

Even though in my installation i am both network-administrator and standard-admin it would be totally unacceptable if each subsite was exclusively for a different admin person and they could access the main site as network-admin during initial 2fa setup. The standard-admin account is for managing ALL the subsites; same username/password and user-ID; which are completely different credentials to the network admins login credentials.

When i go ahead anyway and configure 2fa for a subsite first-time when logged in to the main website – i can see that I’m changing the 2fa configuration for the main site which is already setup and working fine. This is proven when I’m in the authenticator app and i can see my network-admin username and not the username of the subsite admin – and of course it has the wrong URL of the subsite. This plugin is very difficult to understand when working with Multisites.

Hello @trutherone

Thank you for your response.

On a multisite network there are no site-specific user. All users are network users and they are assigned a user role / privileges on specific sub sites. So when you configure 2FA for a user, it is done at network level.

This means that if for example you have a user who has an administrator user role on one site, and editor on another site, and 2FA is enforced on all users with administrator user role, that user has to configure 2FA and then that user will always need to authenticate using 2FA, regardless of which site they are logging in to.

So the 2FA configuration happens at network level. Also, once a user accesses the network dashboard and configure 2FA, from there they can only then visit the sites they have access to. They cannot do anything else.

May I ask why is it a problem for a user to access the network admin dashboard? We’d like to learn more about your setup so if there is something we can improve and do better in the plugin, we can certainly apply it.

Looking forward to hearing from you.

Hi,
No user other than the network admin should have access to the network admin area no matter whether dashboard or anywhere else. This seems a flaw in wp-2FA; WordPress goes to great lengths to enforce separation between network-admin, standard-admin and other account types. I’ve never seen ANY advice given by WordPress themselves or anyone recommending any other user have access to the main network site.

If a standard admin user was granted permission to create his/her own network then still they would only have access to their own site and their subsites in their own network and still ONLY the main top level network admin would have access to any site on the network – that’s how the site hierachy works.

The way this plugin works suggests that any standard admin should access the network site. Can you make it so that standard admins can setup 2FA from their account; then only adopt the method that you currently use to allow any other user type to setup 2FA from a standard-admin account. Or better still each user sets up wp-2fa from their account only – it should be as specific as that.

Hello @trutherone

Thank you for the update and sorry for the late reply. I’ve done some testing on this and I can confirm that the plugin is working correctly and that there is no flaw in it. Below is an explanation of what is happening:

1) On a multisite network, the users are network users and they are assigned specific roles on sub sites on the network. Users can also have multiple user roles on multisite sub sites.

2) Every user on the network, regardless of the user roles they have on the different sub sites or on the network, they can always access their user profile page at network level. The URL for a network’s user profile page is the following:

https://[multisite-network-domain]/wp-admin/network/profile.php

Please try this and you can see that with or without WP 2FA any user on your network can access this network user profile page.

3) This is the only page at network level that any user without super admin role can access on the network. This is default WordPress behaviour.

4) When you use WP 2FA, and a user has to configure WP 2FA, 2FA is configured at the network level and not at sub site level. This is a security feature by design. If 2FA is not configured at network level, it can be easily bypassed if a user has different user roles on different sub sites.

For example;

a) a user has administrator role on one site and author role on another website
b) you enforce 2FA on all users with administrator user role
c) If 2FA was enforced at sub site level, when the user with multiple roles logs in to the site on which they have author role, then they do not need 2FA. However, once logged in they can access all the sites they have access to, bypassing 2FA.

So to conclude, there are no flaws and the plugin is working currently on the multisite network.

I trust the above answers your questions. Should you require any further information, please do not hesitate to ask.

Thank you again for using our plugin.