Google Authenticator 2FA: Keep subdomain name/use fully qualified domain name

  1. What is your original issue/pain point you want to solve?

After setting up the new 2FA using the Google Authenticator app shows only the main domain name (eg. example.com) as the entry, which is confusing if the Zammad instance is hosted on a sub level domain (eg. zammad.example.com instead of example.com)

Edit:
This is wrong, see Google Authenticator 2FA: Keep subdomain name/use fully qualified domain name - #3 by Stubenhocker, it uses organisation name first, then the product name and finally just “Zammad”. In my specific usecase it looked like the domain name. So the main pain point here is it not being clear what name it uses and having no option to fine tune said name or the default naming scheme indicating it’s a code for just Zammad.

  1. Which are one or two concrete situations where this problem hurts the most?

Having multiple services hosted under one domain that provide their own respective 2FA codes causing confusion what code is for which service.

  1. Why is it not solvable with the Zammad standard?

I haven’t found a setting related to this name, and I would have expected it to use the “Fully Qualified Domain Name” instead.

  1. What is your expectation/what do you want to achieve?

Make the 2FA key name use the “Fully Qualified Domain Name” or provide an option to set a custom name.

Edit:
Or prepend Zammad to the organization name

Your Zammad environment:

  • Average concurrent agent count: 2-5
  • Average tickets a day: 100
  • What roles/people are involved: admin, agents, customers
1 Like

I think it is currently using the name of the organization as the 2FA identification. I would love something customizable too, as we too have multiple platforms requiring 2FA and now it is not apparent that the one for Zammad is actually for Zammad.

2 Likes

Looks like you’re right, I’ve looked at the code a bit and inside of authenticator_app.rb it does list the organization first:

def issuer
  Setting.get('organization').presence || Setting.get('product_name').presence || 'Zammad'
end

Guess in my specific case our organization name led me to believe it was domain based instead. :sweat_smile:

Regardless, letting one customize this in a more specific way would be super handy, as just the organization name doesn’t clearly communicate that it is the 2FA code for the Zammad instance. I would also be happy with it just prepending “Zammad” to the name automatically.

1 Like