MUnfortunately enforcing MFA for managers only is currently not possible. Yet, I like the idea of it.
MI believe triggering the MFA with an Action is also not possible atm. We currently working on a Login API, where you could built such a flow (eg, based on Metadata / permissions).
MIf you want, you could open a discussion to see who else is interested in this feature:
https://github.com/zitadel/zitadel/discussions
https://github.com/zitadel/zitadel/discussions
GitHub
Explore the GitHub Discussions forum for zitadel zitadel. Discuss code, ask questions & collaborate with the developer community.
MMight also be related a bit to the Groups discussion (another use case: policies for groups): https://github.com/zitadel/zitadel/discussions/2134
GitHub
What do you think about groups in ZITADEL? Do we need it? What functions should groups have if we would integrate it?
MExpanding Actions is on our roadmap, so having an MFA flow could also be added to https://github.com/zitadel/zitadel/issues/5101
GitHub
As a developer, I want to be able to create an action with custom code on each event that can happen in ZITADEL, so that I am able to implement custom workflows. Acceptance criteria I am able to ad...
SLess of a technical contribution but more of a question for the "why" or better to say for the "why not":
I understand the idea of enforcing MFA for users with extended privileges. However, I why don't you want to enforce it just for everyone.
Remember that if you super-secure certain accounts, an attacker could simply take over any other account.
There's a saying that basically goes, "securing the front door with a self-fire system, but leaving the side entrance door open.." (Kindly ignoring the fact that a burglar will take the easiest way to get into the house, not the most obvious.)
Depending on your application and the attack, the damage caused by one or more "normal" user accounts being hacked could be equally as bad as the damage caused by one administrator account being hacked.
So why not to enforce it for everyone? There might be good reasons, but you should definitely be certain about it.
I understand the idea of enforcing MFA for users with extended privileges. However, I why don't you want to enforce it just for everyone.
Remember that if you super-secure certain accounts, an attacker could simply take over any other account.
There's a saying that basically goes, "securing the front door with a self-fire system, but leaving the side entrance door open.." (Kindly ignoring the fact that a burglar will take the easiest way to get into the house, not the most obvious.)
Depending on your application and the attack, the damage caused by one or more "normal" user accounts being hacked could be equally as bad as the damage caused by one administrator account being hacked.
So why not to enforce it for everyone? There might be good reasons, but you should definitely be certain about it.
SIs it for internal use only?
SDid you explain to him that lowering the security measures for comfort (which seems what he's arguing for) comes at increased risks of loss of company secrets, user data and abuse of user accounts, etc.?
If he's accepting those, at the very least, ask him for written instructions to implement such a solution and have him confirm that you warned about the increased risks. So at least they can't put you in responsibility if anything goes bad.
If he's accepting those, at the very least, ask him for written instructions to implement such a solution and have him confirm that you warned about the increased risks. So at least they can't put you in responsibility if anything goes bad.