Stricter Two-factor Authentication (TFA) Enforcement Regulations

Advice

As part of our commitment to continuous security improvements, we would like to inform you of an upcoming change on the platform. In late April/early May. We are implementing additional TFA enforcement processes that will come into effect with planned release 3.24.0.

What you need to know 

This change to TFA enforcement process relates to SaaS projects and will enforce TFA requirements for all user accounts. This important change impacts username and password-based Application Programming Interface (API) authentication. If you are consuming an API from your Drupal website, you will need to move to token based authentication to ensure your API connections remain functional. This will not impact Drupal's ability to connect to third party APIs.

GovCMS conducts regular auditing on the platform. The TFA audit doesn't specifically detect token-based authentication, it detects misconfigurations in TFA and corrects them. Which can potentially block access.

At this stage, the auditing process does not extend to PaaS projects, however we encourage you to move API authentication to a token based solution.

Action Required

Websites currently using only a username and password for API authentication MUST change to token based authentication (e.g.OATH 2.0).

If you have any concerns, please raise a Service Desk  ticket and subscribe to GovCMS status  page updates to stay informed.