From 29f344b98dee7c407662a393d6008e39d71366b5 Mon Sep 17 00:00:00 2001
From: Matthias Mair <matmair@live.de>
Date: Mon, 1 Nov 2021 23:59:03 +0100
Subject: [PATCH 1/4] add setting to turn on MFA

---
 docs/settings/global.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/settings/global.md b/docs/settings/global.md
index 1b39a24..a8c08da 100644
--- a/docs/settings/global.md
+++ b/docs/settings/global.md
@@ -29,6 +29,7 @@ Change how logins, password-forgot, signups are handled.
 | Enable SSO | Boolean | Enable SSO on the login-pages | False |
 | Enable password forgot | Boolean | Enable password forgot function on the login-pages.<br><br>This will let users reset their passwords on their own. For this feature to work you need to configure E-mail | True |
 | E-Mail required | Boolean | Require user to supply e-mail on signup.<br><br>Without a way (e-mail) to contact the user notifications and security features might not work! | False |
+| Enforce MFA | Boolean | Users must use multifactor security.<br><br>This forces each user to setup MFA and use it on each autentication | False |
 | Mail twice | Boolean | On signup ask users twice for their mail | False |
 | Password twice | Boolean | On signup ask users twice for their password | True |
 | Auto-fill SSO users | Boolean | Automatically fill out user-details from SSO account-data.<br><br>If this feature is enabled the user is only asked for their username, first- and surname if those values can not be gathered from their SSO profile. This might lead to unwanted usernames bleading over. | True |

From b903dfb72540c06616e04eff2325bf47cccd10e4 Mon Sep 17 00:00:00 2001
From: Matthias Mair <matmair@live.de>
Date: Wed, 3 Nov 2021 22:05:05 +0100
Subject: [PATCH 2/4] added MFA section

---
 docs/settings/MFA.md | 18 ++++++++++++++++++
 mkdocs.yml           |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 docs/settings/MFA.md

diff --git a/docs/settings/MFA.md b/docs/settings/MFA.md
new file mode 100644
index 0000000..92a9fa8
--- /dev/null
+++ b/docs/settings/MFA.md
@@ -0,0 +1,18 @@
+---
+title: InvenTree Multi Factor Authentication
+---
+
+## Multi Factor Authentication
+
+ InvenTree gives the option to use TOTP or staticly generated backup tokens as an additional factor to password or SSO authentication. This is a widely adopted security feature on enterprise web services. We highly encourage to enable it if you expose your instance to the public internet.
+
+As TOTP is an [open standard](https://datatracker.ietf.org/doc/html/rfc6238) there are a lot of different ways to hold your key and generate the time based tokens needed for authentication. That ranges from physical devices to password managers and mobile apps. We do not advertise any method but reccomend to keep password and token generator seperate from each other.
+
+### Configuration
+
+To make MFA mandatory for all users
+1. Enable it in the [global settings](../settings/global.md).
+
+### Security Consideration
+
+A user can lock themself out if they loose access to both the device with their TOTP app and their backup tokens. An admin can delete their tokens from the admin pages (they exsist under the 'TOTP devices' / 'static devices' models) . This should be a last resort and only done by people knowledgeable about the [admin pages](../settings/admin.md) as changes there might circumvent InvneTrees buisness and security logic.
diff --git a/mkdocs.yml b/mkdocs.yml
index cb607f0..1ce8c32 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -100,6 +100,7 @@ nav:
     - Admin Interface: settings/admin.md
     - User Permissions: settings/permissions.md
     - Single Sign on: settings/SSO.md
+    - Multi Factor Authentication: settings/MFA.md
     - Export Data: settings/export.md
     - Import Data: settings/import.md
     - Python Shell: settings/shell.md

From 5845e82460de04bcb6aa266670505b17ebe54c60 Mon Sep 17 00:00:00 2001
From: Matthias Mair <matmair@live.de>
Date: Wed, 3 Nov 2021 22:05:47 +0100
Subject: [PATCH 3/4] add release note to 0.6 for MFA

---
 docs/releases/0.6.0.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/releases/0.6.0.md b/docs/releases/0.6.0.md
index d68f99c..0173012 100644
--- a/docs/releases/0.6.0.md
+++ b/docs/releases/0.6.0.md
@@ -50,6 +50,10 @@ PR [#2205](https://github.com/inventree/InvenTree/pull/2205) represents a major
 
 PR [#2208](https://github.com/inventree/InvenTree/pull/2208) provides notification emails when the stock level for a particular part falls below the configured "minimum stock" threshold for that part. An email is automatically sent to any users who are subscribed to notifications for that part.
 
+### MFA Support
+
+PR [#2221](https://github.com/inventree/InvenTree/pull/2221) adds support for MFA (multi factor authentication). This enables admins to require all users to enable MFA as a second auth step. Refer to the [documentation](../settings/mfa) for further information.
+
 ### Bug Fixes
 
 | Pull Request | Description |

From d85e1071545d3a9158b11d9bd849ee717116686f Mon Sep 17 00:00:00 2001
From: Matthias Mair <matmair@live.de>
Date: Wed, 3 Nov 2021 23:16:15 +0100
Subject: [PATCH 4/4] spelling fixes

---
 docs/settings/MFA.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/settings/MFA.md b/docs/settings/MFA.md
index 92a9fa8..66ca66b 100644
--- a/docs/settings/MFA.md
+++ b/docs/settings/MFA.md
@@ -4,9 +4,9 @@ title: InvenTree Multi Factor Authentication
 
 ## Multi Factor Authentication
 
- InvenTree gives the option to use TOTP or staticly generated backup tokens as an additional factor to password or SSO authentication. This is a widely adopted security feature on enterprise web services. We highly encourage to enable it if you expose your instance to the public internet.
+ InvenTree gives the option to use TOTP or statically generated backup tokens as an additional factor to password or SSO authentication. This is a widely adopted security feature on enterprise web services. We highly encourage to enable it if you expose your instance to the public internet.
 
-As TOTP is an [open standard](https://datatracker.ietf.org/doc/html/rfc6238) there are a lot of different ways to hold your key and generate the time based tokens needed for authentication. That ranges from physical devices to password managers and mobile apps. We do not advertise any method but reccomend to keep password and token generator seperate from each other.
+As TOTP is an [open standard](https://datatracker.ietf.org/doc/html/rfc6238) there are a lot of different ways to hold your key and generate the time based tokens needed for authentication. That ranges from physical devices to password managers and mobile apps. We do not advertise any method but recommend to keep password and token generator seperate from each other.
 
 ### Configuration
 
@@ -15,4 +15,4 @@ To make MFA mandatory for all users
 
 ### Security Consideration
 
-A user can lock themself out if they loose access to both the device with their TOTP app and their backup tokens. An admin can delete their tokens from the admin pages (they exsist under the 'TOTP devices' / 'static devices' models) . This should be a last resort and only done by people knowledgeable about the [admin pages](../settings/admin.md) as changes there might circumvent InvneTrees buisness and security logic.
+A user can lock themself out if they lose access to both the device with their TOTP app and their backup tokens. An admin can delete their tokens from the admin pages (they exsist under the 'TOTP devices' / 'static devices' models) . This should be a last resort and only done by people knowledgeable about the [admin pages](../settings/admin.md) as changes there might circumvent InvneTrees buisness and security logic.