Call out explicitly that we don't provide option to disable MFA #1221
Conversation
kunisen
requested review from
brunofarache,
delvedor,
stefnestor and
maggieghamry
kunisen
added
documentation
| @@ -20,6 +20,12 @@ Elastic recommends that you enable multiple methods so that you can still access | |||
|
|
|||
| If you use only a Google or Microsoft account to log in, then you can’t configure MFA in {{ecloud}}. You can check and manage your multifactor authentication options in your Google or Microsoft account security settings. | |||
|
|
|||
| ::::{warning} | |||
|
|
|||
| Disabling MFA poses a significant security risk, and as such, we do not provide the option to disable this feature. | |||
There was a problem hiding this comment.
| Disabling MFA poses a significant security risk, and as such, we do not provide the option to disable this feature. | |
| Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled. |
There was a problem hiding this comment.
Maybe we should put this right at the top of the page? This will help anyone seeking to disable MFA eject from the doc immediately with this info and ideally we shouldn't stack admonitions because the page starts to get messy fast :)
There was a problem hiding this comment.
I'd argue that we should make it not a warning and just tweak the 1st sentence of the page to make it even more explicit that MFA is mandatory
There was a problem hiding this comment.
Also a valid approach @florent-leborgne 👍
There was a problem hiding this comment.
@maggieghamry By stating that it's mandatory and that users can choose which method they want to set up, I don't think it's needed to add that it's enforced by default (it's covered by "mandatory" IMO)
There was a problem hiding this comment.
@brunofarache since we are now actively discussing this in SDH, could you kindly comment on this?
cc @delvedor since you also shared your opinion in the SDH comment.
(Given this is the public repo I won't share any real link, but this is for SDH Control Plane 9470).
Based on our internal discussion, "SDH link + /#issuecomment-2823720051", we shouldn't offer this option (even we technically could). Also I think logically this can prevent users from having confusion on this by simply saying "it's not possible".
Please kindly review and thanks! 🙏
also thanks Liam, Florent and Maggie for the kind advice! 🙇
There was a problem hiding this comment.
@kunisen I'm good with whatever you prefer, as long as Support is aware there are alternatives and won't be pointing to this doc as the final say about it.
There was a problem hiding this comment.
Thanks @brunofarache and all!
@florent-leborgne May I trouble you to help update the wording
- a) According to your comment here please?
Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination. It helps protecting your account by adding an extra identity verification step when you log in. You can choose and define the MFA method to use based on your preference:
and also
- b) Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.
please?
Logically speaking, we would like to make an understanding of "MFA is always required and cannot be disabled", to enhance the meaning on both sides.
(The b) was preferably to be present because that's the reason we got the internal SDH ticket.)
WDYT below:
Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination. It helps protecting your account by adding an extra identity verification step when you log in. Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.
You can choose from the following methods:
If you think that's a bit duplicated in its meaning, I have an alternative idea.
Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination and cannot be disabled. ...
But I think the point is clear, so I believe we are fine with what doc team suggests us from now on.
Thanks!
There was a problem hiding this comment.
Done in 0e672d1
(The note about SMS was also outdated and a little bit misplaced so there's that change in there too)
There was a problem hiding this comment.
I agree with the note of
Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.
Perhaps we may also consider adding note that Cloud MFA is enforced by default, ie:
Disabling MFA poses a significant security risk and is enforced by default. Therefore, this feature cannot be disabled.
…te outdated SMS note
Description
As mentioned in an internal ticket - SDH CP 9470, disabling MFA poses a significant security risk, thus we don't provide this option. This doc PR is to call this part out explicitly clear.
After PR is merged, the orange part will be added:(updated - see below 1st image)Updated as follows after discussion (stronger intro sentence instead of yet another callout):