diff --git a/changelog.d/4-docs/pr-2329 b/changelog.d/4-docs/pr-2329 new file mode 100644 index 0000000000..7b90565520 --- /dev/null +++ b/changelog.d/4-docs/pr-2329 @@ -0,0 +1 @@ +Documentation for the 2nd factor password challenge feature diff --git a/docs/src/how-to/install/index.rst b/docs/src/how-to/install/index.rst index 38e05b5a23..5b19e76202 100644 --- a/docs/src/how-to/install/index.rst +++ b/docs/src/how-to/install/index.rst @@ -17,6 +17,7 @@ Installing wire-server (production) How to monitor wire-server (production) How to see centralized logs for wire-server (production) Other configuration options + Feature settings sft restund configure-federation diff --git a/docs/src/how-to/install/team-feature-settings.md b/docs/src/how-to/install/team-feature-settings.md new file mode 100644 index 0000000000..ef85e6c973 --- /dev/null +++ b/docs/src/how-to/install/team-feature-settings.md @@ -0,0 +1,30 @@ +# Feature settings + +Features can be enabled or disabled on a team level or server wide. Here we will only cover the server wide configuration. + +When a feature's lock status is `unlocked` it means that its settings can be overridden on a team level by team admins. This can be done via the team management app or via the team feature API and is not covered here. + +## 2nd factor password challenge + +By default Wire enforces a 2nd factor authentication for certain user operations like e.g. activating an account, changing email or password, or deleting an account. + +If the `sndFactorPasswordChallenge` feature is enabled, a 6 digit verification code will be send per email to authenticate for additional user operations like e.g. for login, adding a new client, generating SCIM tokens, or deleting a team. + +Usually the default is what you want. If you explicitly want to enable additional password challenges, add the following to your Helm overrides in `values/wire-server/values.yaml`: + +```yaml +galley: + # ... + config: + # ... + settings: + # ... + featureFlags: + # ... + sndFactorPasswordChallenge: + defaults: + status: enabled + lockStatus: locked +``` + +Note that the lock status is required but has no effect, as it is currently not supported for team admins to enable or disable `sndFactorPasswordChallenge`. We recommend to set the lock status to `locked`.