automatically use email address as 2fa provider

[stefan0xC]

When an organization policy requires a 2FA provider the registration via the organizations invite link should add the email address as 2FA provider. You can also skip the policy check if you set EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=true (e.g. so that email provider is added to users that are invited via the /admin panel).

This should fix #4303, however I've also added a way to ensure that the email address will be used automatically as fallback 2FA provider whenever needed (which you have to opt in by setting EMAIL_2FA_AUTO_FALLBACK=true). I'd consider this an experimental feature as it would be Vaultwarden only.

If you don't want your users to enable email 2FA provider at all, you should set _ENABLE_EMAIL_2FA=false to disable email as 2FA provider entirely.

[tessus]

May I ask, why email should be used as a default 2FA? IMO there are 2 MFA systems that are not really safe: email and SMS (text). I believe it's more than just a personal opinion, but looking at the SIM awap attack and other known attack vectors a rather proven standpoint.

There's a reason why there are standards like TOTP or HW keys.

As a SW that prides itself to be secure out of the box with zero knowledge, setting a default 2FA method, which is not the safest choice is detrimental to its mission and goal.

I hope this was not too harsh. If so, I apologize in advance.

P.S.: Why not use TOTP enrollment as the default?

[stefan0xC]

May I ask, why email should be used as a default 2FA?

That's the only one that can be setup at the moment and before having an account. Also that's how the Bitwarden server does it: https://github.com/bitwarden/server/blob/472b1f8d44c1e223aa2e36737650922ef716a004/src/Core/Services/Implementations/UserService.cs#L318-L331

Why not use TOTP enrollment as the default?

It's currently not possible. Presumably the other 2FA providers require changes to the web-vault. If this were supported by the client, e.g. part of the signup form that would be preferable of course. (The auto fallback would not work for most steps because it would require the user's input.)

As a SW that prides itself to be secure out of the box with zero knowledge, setting a default 2FA method, which is not the safest choice is detrimental to its mission and goal.

Personally, I think that having email 2FA as default provider is better than none (which is why I've also added the option to automatically fallback when needed). Since this might not be for everyone, I chose to make both Vaultwarden-only features opt-in (and marked the auto fallback as risky). So by default it mirrors the way Bitwarden does it and only sets it up if there's an org policy that requires it. And like I said it's possible to disable email as 2FA provider, so if you are security minded you can (and probably should?) harden your instance that way.

I mean, the auto fallback method might also be too convenient because it might not be necessary to setup email 2FA here:

vaultwarden/src/api/core/organizations.rs

Lines 1097 to 1099 in 897bdf8

	Err(OrgPolicyErr::TwoFactorMissing) => {
	err!("You cannot join this organization until you enable two-step login on your user account");
	}

because here the user is in control and they had the option to setup a 2FA provider beforehand.

I hope this was not too harsh. If so, I apologize in advance.

No worries. Thanks for the feedback.

[tessus]

Thanks a bunch for the explanation. I didn't know the flow, but just remembered that I can setup TOTP as a 2FA in the web vault.

Well, at least email is better than SMS, if one wants to access their account when travelling. It's highly annoying how banks and others send a challenge text to your phone, which makes no sense when out of the country and not having the SIM active to avoid extremly high roaming expenses. I also love how BWAWG or Bank Austria handle online banking. The 2FA is bound to their apps and your phone. Good look switching your phone while not being in the country. You won't have access to your online banking anymore. I live in Canada, but still have accounts with those 2 banks. I am about to get a new phone, and won't be able to access my bank accounts anymore. Sorry the rant. It's off-topic. You can hide this comment. ;-)