Self login and tfa account setup

Was there any resolution to this?

I am facing issue where I would like to have the user the ability to set up TOTP authentication with there Google Authenticator app. However the user is not presented a screen to enable TFA, -and scan barcode.

I'm faced with the same issue.. a user can authenticate, however they can't setup their own TFA even though the permission is set to allow them to. I want to require TFA authentication for all roles. If I don't set this anybody can login without a code setup.

Has there been any progress on this? Like Jean, I'm trying to roll this out to all authenticated users... however the only way I've managed to implement is by going to each user's PC, log in as the Admin, and setting up the TFA application on their account while they are there so they can get the QR code, get the Application verification code, etc. There's no way I roll this out on over on a mass scale.

As Jean stated, authenticated users have permissions set up for TFA for account (TFA Basic Plugins). As an authenticated user I do see the security tab while looking at my account. In clicking on Set up application (under TFA application) it asks for Current password. Neither the Admin's account password nor the user's password works here. I keep getting "Incorrect password".

This is the procedure I ended with up to allow my users to opt-in in TFA without the need of admin intervention.

First enable TFA for account authentication for your site.

To let your users opt in on TFA, you must create a special role for people who have not yet set up TFA (e.g. “TFA-nonuser”), and give this role the permission “Set up TFA for account”. Now, make all your users who have not set up TFA belong to the “TFA-nonuser”-role. It also important that you do not tick the box on the TFA admin page (Administration » Configuration » People » Two-factor Authentication) that says “Roles required to have set up TFA” for authenticated users or for the “TFA-nonuser” (if you do, all your users belonging to ticked role will encounter a Catch-22 when they first try to login: “Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator.” This of course prevents the user from setting up TFA.)

You can use Auto Assign Role to automate this role assignment when a new account is created.

This setup will allow all users belonging to the role “TFA-nonuser” to authenticate as normal. You must then instruct the user to visit the “Security” tab on his or her profile, and enable TFA (the exact dialogue depends on what plugin/method you use for TFA). After the user has opted in, the next login will require the user to meet the TFA challenge to be able to login successfully.

However, the user is free to opt out of TFA again by visiting the security tab on his/her user profile and opting out.

If you want to remove this option, you need to remove the user from the role “TFA-nonuser” after she or he has opted in on, and set up, TFA. Then the Security tab will be gone from the user's profile, and the user is locked into having to use TFA in order to authenticate. On a small site, the admin can do this manually. On a large site, you may want to create a custom module to automate this.

PS: Let me add that there is room for improvment here. If the “Roles required to have set up TFA”-feature was tweaked to re-direct users who had not yet set up TFA to special page that allowed them to set up TFA (instead of just refusing access), things would (IMHO) be much more intuitive and not require the admin to toggle a special role. But given the way the module currently works, the above procedure is what you can do.

gisle, thanks for the procedure, unfortunately, I'm still having the same problem. Whenever the user select "Set up application" under the Security tab, it ask for "Current password *" (Enter y our current password to continue.), to which the user password, nor the my admin password are accepted. Therefore the user is completely unable proceed to the TFA setup - Application page where they can select the authentication code application and use the QR code to add/sync said application, etc.

@SaintNexcis,
why are your users unable to enter their own password? This is the same password as the password the user is using to login without TFA. Since the user must be logged in to reach this step, they have already used it, and must know it.

(It may be argued that since the user already is logged in, this authentication is unneccesary - but it is a safeguard against people hijacking the TFA credential if a user leaves a logged in session unguarded.)

@gisle in #8 - it's very likely that SaintNexcis is experiencing #2759861: TFA Setup reporting "incorrect password" for AD accounts and that the problem they face is unrelated to this general issue.

@gisle
I believe that greggles may be correct.

Given that (as you pointed out) the user is able to log in using their own password, there is no reason why the user wouldn't know their own password at this point. I think It may be related to the use of LDAP to authenticate the user's credentials.

I created a small module to help address the self-service concerns outlined in this issue: https://www.drupal.org/project/tfa_basic_self_setup -- enjoy, feedback welcome.

@natemow :) Thanks for your Contrib module tfa_basic_self_setup. The Ubertus team is presently reviewing it. We're facing a similar challenge with tfa, and your Contrib module might resolve it or part of it. If it does we might contribute to tfa_basic_self_setup