The required feature described as a wish
Description: the global configuration setting enable.user.2fa defaults to False, meaning users who wish to use two-factor authentication (2FA) cannot do so without a Root Admin first enabling the setting and restarting the management server(s).
Affected Components: Management UI
Impact: Any compromised or weak user credential is sufficient to gain full access to a user's CloudStack account. This makes the platform susceptible to credential-stuffing, phishing, and brute-force attacks with no second factor to impede unauthorized access.
Steps to Reproduce:
- Log in to the CloudStack Management UI as a Root Admin.
- Navigate to Configuration > Global Settings.
- Search for
enable.user.2fa and observe that its value is set to False.
- Attempt to enable 2FA on your own user account, and confirm that it is not permitted.
Recommended Remediation: Change the default value of enable.user.2fa to True so that users are always permitted to enroll in 2FA without requiring Root Admin intervention.
The required feature described as a wish
Description: the global configuration setting
enable.user.2fadefaults to False, meaning users who wish to use two-factor authentication (2FA) cannot do so without a Root Admin first enabling the setting and restarting the management server(s).Affected Components: Management UI
Impact: Any compromised or weak user credential is sufficient to gain full access to a user's CloudStack account. This makes the platform susceptible to credential-stuffing, phishing, and brute-force attacks with no second factor to impede unauthorized access.
Steps to Reproduce:
enable.user.2faand observe that its value is set to False.Recommended Remediation: Change the default value of
enable.user.2fato True so that users are always permitted to enroll in 2FA without requiring Root Admin intervention.