Behaviour
When originally launched, Two Factor for Statamic enforced two factor authentication for all users of the CP.
Since 2.2 and 2.4.1, some additional and optional behaviour changes have been made.
Super users are always enforced
Regardless of how you configure the addon, super users will always have two factor enforced.
Super users can do a heck of a lot: so if you are wanting two factor, why would you want such an elevated user to not use it?
For that reason, we decided to make super users always require two factor.
Enforced for everyone (the default)
When you install and enable the addon, all users of the CP will have two factor enforced.
This means everyone must use two factor authentication.
We like this option - hence it is the default.
There's nothing to configure: just install, enable, and you're all good!
If you've been making changes to the config file, to reset to this behaviour, set enforced_roles to null.
1'enforced_roles' => null,Enforced specific roles (and optional for others)
You can enforce two factor for specific roles. Let's say you have a role with the handle users_admin and you want them to require two factor. You can update the enforced_roles config property:
1'enforced_roles' => ['users_admin'],Find out more about role-based configuration.
All other users can opt-in to two factor from their Profile in the CP.
Optional for everyone
You can make two factor optional for everyone (except super users - see above).
To do this, set the enforced_roles config property to an empty array:
1'enforced_roles' => [],