Title: [Hardening] F-03: Recommended Mandatory 2FA Enforcement from the Start. · Issue #13335 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-03: Recommended Mandatory 2FA Enforcement from the Start. · Issue #13335 · apache/cloudstack
X Title: [Hardening] F-03: Recommended Mandatory 2FA Enforcement from the Start. · Issue #13335 · apache/cloudstack
Description: The required feature described as a wish Description: The "Tyranny of Default" principle recommends enabling the global setting mandate.user.2fa from the start. Security can always be downgraded later, but most users will simply accept w...
Open Graph Description: The required feature described as a wish Description: The "Tyranny of Default" principle recommends enabling the global setting mandate.user.2fa from the start. Security can always be downgraded la...
X Description: The required feature described as a wish Description: The "Tyranny of Default" principle recommends enabling the global setting mandate.user.2fa from the start. Security can always be dow...
Opengraph URL: https://github.com/apache/cloudstack/issues/13335
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-03: Recommended Mandatory 2FA Enforcement from the Start.","articleBody":"### The required feature described as a wish\n\n\u003cimg width=\"894\" height=\"441\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/2e377d7c-2a4d-4e4f-bfbd-a5920411a44f\" /\u003e\n\n**Description:** The \"Tyranny of Default\" principle recommends enabling the global setting `mandate.user.2fa` from the start. Security can always be downgraded later, but most users will simply accept whatever defaults they are given. If `mandate.user.2fa` is not set, 2FA remains ineffective even for those users who have already enrolled.\n\n**Affected Components:** Management UI\n\n**Impact:** Without mandatory enforcement, users may choose not to enroll in 2FA. In environments with regulatory or compliance requirements (e.g., PCI-DSS, SOC 2), the absence of enforced MFA may constitute a compliance gap.\n\n**Steps to Reproduce:**\n- Log in to the CloudStack Management UI as a Root Admin.\n- Navigate to Configuration \u003e Global Settings.\n- Search for `mandate.user.2fa` and confirm the value is False.\n- Create a new user account at any permission level.\n- Log in as that user and confirm that access is granted without any 2FA prompt.\n\n**Recommended Remediation:** Set `mandate.user.2fa` to True by default. Users will be naturally guided to set up 2FA at first login without friction, and the first impression of the ACS project will reflect a stronger security posture.","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T00:53:20.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13335/cloudstack/issues/13335"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:fff1e9c3-11b1-1852-a731-1de0ab1297b8 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8500:8CD9D:6FABB4:97DEF8:6A4DD1C4 |
| html-safe-nonce | 703e6c8d3fbe71130b82077352350fb91e764c4c1c3f30c65d6f5d90bf9437f4 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NTAwOjhDRDlEOjZGQUJCNDo5N0RFRjg6NkE0REQxQzQiLCJ2aXNpdG9yX2lkIjoiNzIzOTUzNDA3MDYxNDMxNTQ2MCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 86dc2982e34c272177d898da441c05e2f9ef013e6568a7eb19b2c38521e25561 |
| hovercard-subject-tag | issue:4584814544 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13335/issue_layout |
| twitter:image | https://opengraph.githubassets.com/e2e5cb38e7111f871eae44cbcbe21920264fef507132e34972b3785827e0d324/apache/cloudstack/issues/13335 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/e2e5cb38e7111f871eae44cbcbe21920264fef507132e34972b3785827e0d324/apache/cloudstack/issues/13335 |
| og:image:alt | The required feature described as a wish Description: The "Tyranny of Default" principle recommends enabling the global setting mandate.user.2fa from the start. Security can always be downgraded la... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width