MFA Enforcement on an Organization not working anymore? #1908

New Issue

Closed

opened 2026-02-05 02:10:26 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 02:10:26 +03:00

Owner

Copy Link

Originally created by @rbability on GitHub (May 2, 2024).

I am on 1.30.5, but I can not say when the issue started, because we invite new users to those Organizations not very often.

Subject of the issue

After inviting a new user to an organization which has the "Enforce MFA" function enabled, I realized that this user has access, but was not enforced to enable MFA on his account. I am pretty sure that in the past, when I invited users to such an Organization, they were enforced to enable MFA first for their account before they were able to join.

Deployment environment

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.5
• Web-vault version: v2024.1.2b
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: false
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://************",
  "domain_origin": "*****://************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 365,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": false,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "********",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "************************",
  "org_events_enabled": true,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "***********************",
  "smtp_from_name": "****************",
  "smtp_host": "**************************************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

* Clients used: Only the Web Client was used in this process.

• Reverse proxy and version:
  None

Steps to reproduce

• Invite a new User to Vaultwarden and wait until he finished the Onboarding process. He does not enable MFA in this process.
• Invite him to an organization which has Enforce MFA enabled.
• He will be able to accept the invitation, the Admin can approve it and then the User can access the organization without being enforced to enable MFA.

Expected behaviour

I expected that the User, when trying to accept the invitation to the Organization, gets a prompt that he has to enable MFA on his account first. I am pretty sure this was the behavior previously, but unfortunately I can not say since which version it changed.

Actual behaviour

The user can just accept an invitation to a MFA protected Organization without having MFA enabled.

Originally created by @rbability on GitHub (May 2, 2024). I am on 1.30.5, but I can not say when the issue started, because we invite new users to those Organizations not very often. ### Subject of the issue After inviting a new user to an organization which has the "Enforce MFA" function enabled, I realized that this user has access, but was not enforced to enable MFA on his account. I am pretty sure that in the past, when I invited users to such an Organization, they were enforced to enable MFA first for their account before they were able to join. ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: false * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 365, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": false, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "********", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "************************", "org_events_enabled": true, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "***********************", "smtp_from_name": "****************", "smtp_host": "**************************************", "smtp_password": null, "smtp_port": 25, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> * Clients used: Only the Web Client was used in this process. * Reverse proxy and version: None ### Steps to reproduce - Invite a new User to Vaultwarden and wait until he finished the Onboarding process. He does not enable MFA in this process. - Invite him to an organization which has Enforce MFA enabled. - He will be able to accept the invitation, the Admin can approve it and then the User can access the organization without being enforced to enable MFA. ### Expected behaviour I expected that the User, when trying to accept the invitation to the Organization, gets a prompt that he has to enable MFA on his account first. I am pretty sure this was the behavior previously, but unfortunately I can not say since which version it changed. ### Actual behaviour The user can just accept an invitation to a MFA protected Organization without having MFA enabled.

OVERLORD closed this issue 2026-02-05 02:10:26 +03:00

OVERLORD commented 2026-02-05 02:10:30 +03:00

Author

Owner

Copy Link

@rbability commented on GitHub (May 2, 2024):

To add to this. When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.

@rbability commented on GitHub (May 2, 2024): To add to this. When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.

OVERLORD commented 2026-02-05 02:10:32 +03:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (May 2, 2024):

What role is the user invited as? (Admins and Owners are exempt from MFA.)

When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended.

This sounds backwards. If you remove the checkmark you turn off the policy meaning the enforcement of that policy should not be enabled and thus also not affect users.
0fe93edea6/src/db/models/org_policy.rs (L286-L289)

@stefan0xC commented on GitHub (May 2, 2024): What role is the user invited as? (Admins and Owners are exempt from MFA.)  > When removing the Checkmark for MFA enforcement on an organization, all Users without MFA enabled get removed from this organization. So this is still working as intended. This sounds backwards. If you remove the checkmark you turn off the policy meaning the enforcement of that policy should not be enabled and thus also not affect users. https://github.com/dani-garcia/vaultwarden/blob/0fe93edea6cb8d4b30416a6d319164f8828ad8b7/src/db/models/org_policy.rs#L286-L289

OVERLORD commented 2026-02-05 02:10:36 +03:00

Author

Owner

Copy Link

@rbability commented on GitHub (May 2, 2024):

Thank you @stefan0xC! I was indeed inviting the User as Admin. The first one ever... normally everyone has less permissions. This is why he was exempt from MFA! From now on I will invite the new Admins as regular Users first to make sure they are enabling MFA and then update their membership to Admin afterwards.

The addition I made to my post was not proof-read by me, sorry. We had the case that another person ADDED the checkmark to an Organization where it was not enforced and almost everyone lost access to that organization. So THIS is working as expected. I am sorry for the confusion.

In hindsight I should have created a new org first and test again before opening this issue. I would then have seen the dialogue you posted above (which I have not seen since a very long time, since we do not create new Organizations regularly). I'm sorry for the inconvenience. Everything is working as it should.

Thank you very much for your time!

@rbability commented on GitHub (May 2, 2024): Thank you @stefan0xC! I was indeed inviting the User as Admin. The first one ever... normally everyone has less permissions. This is why he was exempt from MFA! From now on I will invite the new Admins as regular Users first to make sure they are enabling MFA and then update their membership to Admin afterwards. The addition I made to my post was not proof-read by me, sorry. We had the case that another person ADDED the checkmark to an Organization where it was not enforced and almost everyone lost access to that organization. So THIS is working as expected. I am sorry for the confusion. In hindsight I should have created a new org first and test again before opening this issue. I would then have seen the dialogue you posted above (which I have not seen since a very long time, since we do not create new Organizations regularly). I'm sorry for the inconvenience. Everything is working as it should. Thank you very much for your time!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1908