I would like to enforce 2FA for a specific category of USER. Currently, users who do not set up 2FA can still access the data. I created a reusable element that I added to my pages to redirect users from this category who haven’t set up the two-factor authentication, but I wanted to know if there was a better way to prevent them from accessing data. Forcing a logout, maybe? The Bubble logic seems to be: ID + password = login, then if 2FA = yes > check token, if 2FA = no: users can still navigate the site. Let me know if I am wrong maybe is it possible :login after the validate or check token???) and if there is another way to do this. Thank you
There may be a couple of things you may do to improve upon this.
-
First is using privacy rules. Create a field in the user thing, say isVerified or 2FA_verified, whatever you want to call it. Set it to yes/no, defaulting to no. Every time users login and are 2fa verified, this is set to yes. Before a user is logged out, set this to no, then log them out.
Now, in your privacy rules, choose which data can be accessed for a logged in user whose isVerified is Yes or No. That way bubble serves the right data to those who have not gone through the 2fa verification, but keeps the important or sensitive stuff hidden until they verify. So even if someone bypasses the 2fa verification, they still will only access what you set in privacy rules (let’s say only the user’s first name and email is accessible ifCurrent User is logged inANDCurrent User's Category is [userCategory]ANDCurrent User's isVerified is "no", that’s all they will access). -
You could also force them to logout or redirect to a specific page if
Current User's isVerified is "no", but you should still implement step 1. WhenCurrent User is logged inANDCurrent User's Category is [userCategory]ANDCurrent User's isVerified is "no"force them to a specific page even if you do not want them to log out.
Better yet, if you do not want them to be forced, implement some sort of persistent banner or modal to the bottom right or left side that tells them to complete their 2FA verification. this will have a button that takes them to the page or opens up a reusable popup where they can do their 2FA verification.
Thanks for the response. That’s an approach I wanted to avoid because it feels more ‘complicated’ to manage; you have to handle that field very carefully, especially since logouts are almost always automatic, meaning there’s no workflow to set it to ‘NO.’ I had imagined setting it to ‘NO’ at the moment of reconnection for the users concerned. Is the redirection reusable not as secure as adding this field?
Yes, it can be tricky to implement this, but other than doing this, I don’t see any way to reliably to solve this either. You could consider using backend workflows to handle certain edges cases for logout (like scheduling backend workflow to set the isVerified field to ‘no’ when session expires, or relying on setting the field to yes or no, so in case user browser closes before the client side can set this field).
In cases like this, there isn’t a surefire way to do it easily, you simply use a combination of methods, and try to think up ways that users could bypass said methods and see if you can get alternative ways to handle this.
I’d say look into plugins but I don’t know if there’s any plugin that does this. And the next option is writing custom code or something, but even I don’t recommend or know how that will work (I don’t have much coding knowledge either)
No, using that alone is not as secure as setting a field and using privacy rules. As users can bypass that very easily even if unintentionally. Redirection alone forces navigation, but the data would still be accessible. And if users bookmark the page where the full data is shown, they may not be able to bypass redirection, but the data is still accessible via DOM. Someone with the right knowledge will access it easily.
It only controls navigation. If someone bypasses the redirect (via a bookmarked URL, direct API call, or a missed workflow), they might still reach sensitive data. It is not as secure as adding the isVerified field. Redirection is about user flow, while the field enforces actual data protection. Use redirection mainly for guiding the user experience, not for the actual data protection
Thks!