Skip to content

Call out explicitly that we don't provide option to disable MFA #1221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 24, 2025
Merged

Call out explicitly that we don't provide option to disable MFA #1221

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
89a4ec8
Update multifactor-authentication.md
kunisen Apr 22, 2025
0e672d1
Reword the intro sentence with stronger language for clarity and upda…
florent-leborgne Apr 24, 2025
972e79b
Merge branch 'main' into kunisen-docpr-sdhcp9470
florent-leborgne Apr 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions cloud-account/multifactor-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ Elastic recommends that you enable multiple methods so that you can still access

If you use only a Google or Microsoft account to log in, then you can’t configure MFA in {{ecloud}}. You can check and manage your multifactor authentication options in your Google or Microsoft account security settings.

::::{warning}

Disabling MFA poses a significant security risk, and as such, we do not provide the option to disable this feature.
Copy link
Contributor

@leemthompo leemthompo Apr 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Disabling MFA poses a significant security risk, and as such, we do not provide the option to disable this feature.
Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wording nit

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should put this right at the top of the page? This will help anyone seeking to disable MFA eject from the doc immediately with this info and ideally we shouldn't stack admonitions because the page starts to get messy fast :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd argue that we should make it not a warning and just tweak the 1st sentence of the page to make it even more explicit that MFA is mandatory

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also a valid approach @florent-leborgne 👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maggieghamry By stating that it's mandatory and that users can choose which method they want to set up, I don't think it's needed to add that it's enforced by default (it's covered by "mandatory" IMO)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brunofarache since we are now actively discussing this in SDH, could you kindly comment on this?
cc @delvedor since you also shared your opinion in the SDH comment.
(Given this is the public repo I won't share any real link, but this is for SDH Control Plane 9470).

Based on our internal discussion, "SDH link + /#issuecomment-2823720051", we shouldn't offer this option (even we technically could). Also I think logically this can prevent users from having confusion on this by simply saying "it's not possible".

Please kindly review and thanks! 🙏

also thanks Liam, Florent and Maggie for the kind advice! 🙇

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kunisen I'm good with whatever you prefer, as long as Support is aware there are alternatives and won't be pointing to this doc as the final say about it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @brunofarache and all!

@florent-leborgne May I trouble you to help update the wording

  • a) According to your comment here please?

Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination. It helps protecting your account by adding an extra identity verification step when you log in. You can choose and define the MFA method to use based on your preference:

and also

  • b) Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.

please?

Logically speaking, we would like to make an understanding of "MFA is always required and cannot be disabled", to enhance the meaning on both sides.
(The b) was preferably to be present because that's the reason we got the internal SDH ticket.)

WDYT below:

Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination. It helps protecting your account by adding an extra identity verification step when you log in. Disabling MFA poses a significant security risk. Therefore, this feature cannot be disabled.
You can choose from the following methods:

If you think that's a bit duplicated in its meaning, I have an alternative idea.

Multifactor authentication (MFA) is mandatory when you log in to {{ecloud}} using a standard email/password combination and cannot be disabled. ...

But I think the point is clear, so I believe we are fine with what doc team suggests us from now on.
Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 0e672d1

(The note about SMS was also outdated and a little bit misplaced so there's that change in there too)


::::

::::{note}
You can no longer configure SMS as a multifactor authentication method. If you already use SMS for multifactor authentication, then you can continue using it. You’ll be prompted to switch to a new MFA method in the future.

Expand Down
Loading