Hello,

I hope this message finds everyone well!

RE: https://forum.osticket.com/d/101837-2fa-for-users-in-addition-to-agents/14

Back some time ago, I had asked if it was possible to add MFA to the "user" section of the portal? Out of all of the users in the system, we trust our agents the most (in terms of security). So it's not a big deal for our agents to use MFA. If it's there (which it is) we would enable it. What's critical for us, is enabling MFA for our "users", which are our end-user customers. This is where we are mostly concerned with safety when it comes to the OS Ticket software. At the time I mentioned it, there was some discussions about adding it in an newer release (I'm assuming a fair-bit of the MFA code could be copied to the MFA for user section....???? Anyways, just curious if there has been any changes in this direction?

I appreciate everyone's assistance! Thank you so much!

Take care,
Neil

    TheMitelGuy

    The current codebase is in maintenance mode while we work on the full rewrite (v2.0). This means we are not releasing any major features for the current codebase; only bug fixes, security patches, required dependency updates, and minor enhancements.

    We have not added MFA for Users but there is somewhat of a workaround. You can install the OAuth2 plugin and configure any number of OAuth2 providers for the Users and/or Agents to login with. The caveat is you have to have an account with that provider to register an OAuth2 application/project/etc. Once configured the Users can login through the provider where they can have additional 2FA configured on their account.

    Cheers.

      KevinTheJedi Thanks very much for your quick reply. I'm excited to read what you have mentioned, but I don't full understand what you are saying sorry? I'm not sure how it would work in the end for users?

      Thanks so much
      Neil

        TheMitelGuy

        We don’t have 2FA for users. What we do have is OAuth2. Most major providers like Google, Microsoft, Okta, etc. all offer OAuth2 SSO. With osTicket you can install and configure the OAuth2 plugin for a provider like Google so that a User can click a button to go to Google to authenticate then google sends them back to osTicket where they are logged in.

        What this means is the User can have 2FA enabled on their external auth provider so that after they sign in with the provider they’ll get a 2FA prompt before being directed back to osTicket.

        Cheers.

        Sorry to butt in. But I've been loosely following the discussions about 2FA with interest.
        Would this provide a solution:

        miniorange[dot]com/two[dash]factor[dash]authentication[dash]for[dash]osticket[dash]support[dash]ticketing[dash]system

        Not tried it myself and the instructions seem a little long winded, but I noticed someone else on Github referenced it too.

          m-law

          Ewww! Not only does it involve a 3rd party connector but it’s also PAID. At a premium level where you have to contact them to “get a quote”! We all know what that means..I hope you’re ready to empty your pockets for your entirely free help desk! Note, I edited the link as to not advertise a paid service and to not provide click-backs/seo/etc. Please do not advertise 3rd party sites on this forum; especially paid ones.

          With this being said, I believe they are looking for more of a native (and FREE - as open source should be) 2FA like the one we have for Agents. This way there is no external authentication provider involved (unless they use an Authenticator app of course) with long winded setups, etc. and most importantly no money involved.

          I believe we are extending the full 2FA to Users in v2.0 as Laravel has it natively so it’ll be easier to implement across the board. Stay tuned!

          Cheers.

            KevinTheJedi That's good. I was looking into using Laravel Jetstream with Inertia/Vue stack for my latest use case, before coming back to OsTicket. So I was pleased to see that V2.0 will be based on Laravel.

            I appreciate everyone's thoughts, suggestions and info! Much appreciated! Thank you!

            TheMitelGuy

            As always, we do not have a set release date or any sort of timeline; we will advertise and release it when we are ready (typical osTicket fashion). If you ask any seasoned developer, completely rewriting an existing and monolithic software is virtually impossible to predict a timeline for. You run into many different obstacles, sometimes you run into unexpected limitations, sometimes you have to theorize and reinvent major/core parts and make damn sure they are done right, discover and learn new packages and tools, and SO much more. Yes, we are a small development team but we’ve been able to knock out so much and we are super proud of what we have so far. What I can say is that development is coming along very well. We are completely redesigning the functionality of some parts, adding completely new concepts, hammering out core functionality, etc. What we have right now is super sick and we can’t wait to share more when the time comes.

            With all that being said, we hope to have a public preview out this year (and maybe even a release candidate - depending on where we are at).

            Cheers.

              15 days later

              Hey KevinTheJedi - thanks again for the info. My last question - is there a process for customers to sign up to be on the beta/NPI (new product introduction) testing? We complete many betas/NPIs each year with a couple of our largest manufactures (software developers. We are very good with doing beta/NPI work - we are very organized in our finding and reporting of issues. We look at products from a multitude of positions - technical customers, non-technical customers, end-users, power users, departments, etc.). So we can provide a really good report back of "finds" and issues that we have come across. Just wondering if there was a process for us to sign up or just make the decision makers aware of what we can do?

              Thanks again! I greatly appreciate all of your help!
              Neil

                TheMitelGuy

                Not at this time, no. You would just need to follow our GitHub repos and follow the website and forum to see any updates. We will announce the new repo, etc. once it gets closer.

                Cheers.

                We have Microsoft for our email provider and use the Oauth plugin Kevin mentioned implemented. This way, any user in our AAD can login with their credentials. It works great especially with MS edge - Logs you right in without even signing in if SSO is enabled with your AD sync agent. Make sure you still have a local admin user in case the Oauth breaks in osTicket. Kevin - can you make it so that the captcha doesn't keep asking me to verify? 🙂

                Write a Reply...