🔐 2FA Organization Enforcement
Comprehensive Two-Factor Authentication requirement system for organizations
⚠️ Security Feature: This system enforces 2FA requirements at the organization level, ensuring all members have enhanced account security before accessing organization features.
✨ Feature Overview
🛡️ Organization-Level 2FA Enforcement
Administrators can require all organization members to enable 2FA to access any organization features.
🚫 Access Prevention
Users without 2FA are blocked from organization interactions until they enable it.
📱 User-Friendly Notifications
Clear modals and banners guide users to enable 2FA with helpful instructions.
🔧 API-Level Protection
Backend validation prevents unauthorized access to organization endpoints.
📋 How to Test
Step 1: Enable 2FA Requirement
1. Go to
Organization Management
2. Find "Organization Settings" section
3. Toggle "Require Two-Factor Authentication (2FA)" to ON
4. Setting is saved automatically
Step 2: Test with User Without 2FA
1. Log in as a user who hasn't enabled 2FA
2. Try to access organization features
3. You'll see a modal requiring 2FA enablement
4. API calls will be blocked with 403 responses
Step 3: Enable 2FA
1. Go to
Profile Settings
2. Enable Two-Factor Authentication
3. Complete the setup process
4. Return to organization features - access is restored
Step 4: Test API Protection
1. Open browser developer tools
2. Monitor network requests to organization endpoints
3. Without 2FA: See 403 responses with "2fa_required" error
4. With 2FA: Normal API responses
🔧 Technical Implementation
Organization Settings
'security' => [
'require2FA' => false // Toggle this setting
]
Protected API Endpoints
// organization-api.php protected actions:
get_members, update_settings, approve_member, reject_member,
change_role, transfer_data, create_role, update_role, delete_role
// role-api.php protected actions:
get_user_role, get_organization_members, update_user_role,
get_organization_roles, create_role, update_role, delete_role
Client-Side Integration
// Include in your pages:
<script src="2fa-enforcement.js"></script>
// Use enhanced fetch:
const data = await fetchWithAuth('/api/endpoint', options);
if (data.handled) {
// 2FA modal was shown to user
return;
}
🎯 Key Functions
organizationRequires2FA($organizationId)
Checks if organization has 2FA requirement enabled
userHas2FAEnabled($userEmail)
Verifies if specific user has 2FA enabled
canUserAccessOrganization($userEmail, $organizationId)
Comprehensive access check combining both validations
validate2FARequirements($userEmail, $organizationId)
API middleware that blocks requests and sends JSON responses
📱 User Experience
- Warning Banner: Non-intrusive notification about 2FA requirement
- Modal Dialog: Detailed explanation when accessing protected features
- Settings Link: Direct navigation to 2FA setup
- Clear Messaging: Explains why 2FA is required and how to enable it
🔒 Enhanced security through systematic 2FA enforcement
Protecting organization data with comprehensive access controls