Upcoming MFA changes
dan last edited by dan
MFA in FusionAuth is being rebuilt; SMS 2FA is being revamped and will only be available in an edition with a paid license. TOTP/Google authenticator 2FA will remain available in the community edition. Expected release date of the new MFA features is mid Q1 2021.
We are currently revamping our multi-factor authentication functionality (MFA) to solve a number of problems we heard from our customers and community.
This includes rebuilding our SMS/text messaging MFA feature from the ground up. Frankly, the previous feature had some real issues (this is the clean version of what some of you told us) and we want to make it way better. We are adding localization, customizable templates, the ability to select your own SMS provider and more. This is on top of other MFA features which will be released as part of this overhaul, like MFA policies, FIDO support, and one time recovery codes. This is all being tracked on GitHub issue #960.
We believe every project should have secure, world class auth. So, the basic TOTP implementation (using Google authenticator or similar software) as it exists in the community edition in Dec 2020 (and as is documented here) will remain free after the new MFA features are released. You will continue to have to write some code to implement this (to display the QR code to a user, for example). A FusionAuth self-service TOTP implementation is in our plans, but this will not be included in the community edition.
FusionAuth is also building a sustainable business, which means we do have to make a little money. Because of that, the MFA improvements outlined above will be a premium feature, requiring a paid license.
Please Read: If you are using Twilio for SMS MFA and want to continue to use it after the new MFA features are released, you have two options:
- Don’t upgrade to the new version of FusionAuth which includes the MFA overhaul. You can run the previous version forever. However, no features or bug fixes will be backported.
- Buy the developer edition. To ease the transition, we’re offering two months of the developer edition for free. Just contact us, say "hey, I want my SMS 2FA" and we’ll give you a code.
The new MFA features are expected to be released in mid Q1 2021, but I'm sharing this now so you can adjust your plans as needed.
If you have any questions or concerns, please let us know either by contacting us or posting below.
While I understand the need to build a sustainable business, I completely disagree with removing features that where previously in the free version and making them only available in the paid version.
The product that we have build and are using FusionAuth for has an security required for MFA authentication so when researching what auth solution to use the availability of MFA SMS was an requirement for us. FusionAuth seemed (and still is) the perfect fit for our product with the extensive API and the theming possibility so we can white label our product.
One of the other points that ultimately made us choose FusionAuth was how accessible and community friendly the developers seemed (an forum, github issues to report bugs/features, open roadmap, etc). This action to remove such an important feature from the free version completely goes against that.
Ultimately now we are in the situation that we, in the last 3/4 months, completely build our product based on FusionAuth, but now have to consider switching to a different solution (and rewriting big parts of our product) because an essential feature that we use is being removed from the version that we are using.
Currently buying the paid version isn't an option for us, because just like you, we are trying to build a sustainable business and any additional recurring fees are costs we can't have right now. (Our intend was to switch to the developer version once we have a sustainable business)
The other option, like you mention, to stop updating FusionAuth is quite frankly kind of shocking, to suggest not updating the solution/component that ultimately is responsible for a big part of the security of our product...
If would strongly urge you to reconsider the choice to remove SMS MFA from the free version, make it so that in the free version you can only use the default text templates and only use Twilio, that is completely fine. But do not remove such an important feature from the free version.
Note: the https://fusionauth.io/pricing/ page still says the community edition contains SMS MFA...
dan last edited by dan
Thanks for sharing your concerns, we appreciate you taking the time to share your opinion. We always love hearing from our users and I'll make sure the team sees your feedback. We also updated the features matrix on the pricing page--thanks for pointing that out. We want to do right by the community and that includes building a sustainable business as well as providing a great community solution.
Regarding SMS MFA, the existing code was entangled enough with our rewrite that it didn't make sense to preserve it. Carving out the existing functionality as you suggest would have impacted our product in painful ways. We have spent developer-months of time researching, prototyping and building this feature and want it to be world class. Frankly, we felt that the Twilio SMS MFA functionality wasn't as good as we wanted it to be (and we have the bug reports to show that opinion is shared).
We understand that you built on top of FusionAuth with certain expectations, which is why we provided as much lead time as we could, as well as the two months free trial of the developer edition. As far as running an older version, based on our customer feedback we have many users that are on older versions. However, I understand your trepidation. We merely point that out as an option.
We also understand that switching is hard for such a critical component. It takes time for your developers to update code - and most of the other providers will be considerably more expensive than FusionAuth, which will impact you even more. This is why we want to reduce the burden of upgrading to our Developer Edition as much as possible. Plus, you'll be gaining a lot of additional MFA capabilities including SMS templates and additional MFA options.
We'd love for you to continue to use FusionAuth, but if you feel that switching solutions makes better sense for your business, we completely understand.
Thanks for your response and the explanation about not being able to keep the existing functionality free.
Regarding the option to not upgrade, if in the future (lets says this year) an serious security issue is found, will you backport a fix to older versions? (< 1.24)
will you backport a fix to older versions? (< 1.24)
I wanted to answer your question. I discussed the possibility of backporting security fixes with the team. The decision we arrived at is that FusionAuth won't backport any security fixes to 1.23.
We haven't backported security fixes (or other functionality for that matter) between versions in the past. If we were going to commit to backports, we'd want to do it in a consistent manner, not just a one-off for this version. I'm not ruling out backporting in the future, but as long as we're on FusionAuth 1.x, we likely won't release any of these.
While we understand where the question is coming from, and we understand the fact that backports won't occur means that the option of not upgrading is less appealing, committing to such backports could negatively impact the engineering team and the codebase.
I hope this answer brings some clarity and helps you make the correct decision for your application and your business.
Thanks - Dan
We are a paid edition customer. When do you think you will have a version for us to test against?
@mweiss I'm not sure exactly when this release will land, but expect it in Q1. Sorry I don't have an exact date for you.
@mweiss 1.26 was released today. You can read the release notes here: https://fusionauth.io/docs/v1/tech/release-notes/#version-1-26-0
It is available on dockerhub and the download page.