[Hardening] F-03: Recommended Mandatory 2FA Enforcement from the Start.

[davift]

The required feature described as a wish

Description: The "Tyranny of Default" principle recommends enabling the global setting mandate.user.2fa from the start. Security can always be downgraded later, but most users will simply accept whatever defaults they are given. If mandate.user.2fa is not set, 2FA remains ineffective even for those users who have already enrolled.

Affected Components: Management UI

Impact: Without mandatory enforcement, users may choose not to enroll in 2FA. In environments with regulatory or compliance requirements (e.g., PCI-DSS, SOC 2), the absence of enforced MFA may constitute a compliance gap.

Steps to Reproduce:

• Log in to the CloudStack Management UI as a Root Admin.
• Navigate to Configuration > Global Settings.
• Search for mandate.user.2fa and confirm the value is False.
• Create a new user account at any permission level.
• Log in as that user and confirm that access is granted without any 2FA prompt.

Recommended Remediation: Set mandate.user.2fa to True by default. Users will be naturally guided to set up 2FA at first login without friction, and the first impression of the ACS project will reflect a stronger security posture.