Different security settings per user type / user group

[simonech]

Problem statement

Umbraco currently provides very flexible password complexity configuration, but it follows a one-size-fits-all approach.

As a result:

• If we enforce very strong password requirements (e.g. 20+ characters) for admins or service accounts,
• the same requirements must also be enforced for regular editors.

This makes it difficult to apply appropriate security controls based on risk level and role, especially in environments with:

• privileged administrator accounts,
• service or integration accounts,
• and a larger number of non-technical editors.

Proposed idea

Allow different security settings for different types of users, ideally based on user groups.

A group-based approach would likely be the most flexible and align well with existing Umbraco concepts.

Examples of settings that could be group-specific:

• password complexity requirements
• password length
• enforced MFA Better support for MFA / 2FA enforcement and management #21632

Open discussion

This discussion can be used to:

• validate whether this approach makes sense from a product perspective
• brainstorm possible implementation strategies
• assess feasibility and potential impact on existing setups

Note

This ticket was discussed within the Umbraco Security & Privacy Advisors group; I’m formalising it here to gather broader feedback.

[nul800sebastiaan]

I just want to note that password complexity has proven to be mostly useless, long passwords are the hardest ones to crack.

Personally, I think we should hold anybody who can log in to the backoffice to the same standard of having a long password.

Agreed on improving MFA management.

Additionally, I would love to see passkeys being discussed as a complete replacement for logging in with passwords. I know they're not quite mainstream yet and there's various challenges with password managers, so it could be opt-in with a good fallback for now.

[AndyButland]

We discussed and investigated this a little this morning, and at least the password complexity requirement can be handled already by registering a custom IPasswordValidator. See the following example:

using Microsoft.AspNetCore.Identity;
using Umbraco.Cms.Core.Composing;
using Umbraco.Cms.Core.Security;

namespace Umbraco.Cms.Web.UI.Custom;

public class GroupBasedPasswordValidator : IPasswordValidator<BackOfficeIdentityUser>
{
    public Task<IdentityResult> ValidateAsync(
        UserManager<BackOfficeIdentityUser> manager,
        BackOfficeIdentityUser? user,
        string? password)
    {
        if (user == null || string.IsNullOrEmpty(password))
        {
            return Task.FromResult(IdentityResult.Success);
        }

        var errors = new List<IdentityError>();

        var isAdmin = user.Roles.Any(r =>
            r.RoleId.Equals("admin", StringComparison.OrdinalIgnoreCase));

        if (isAdmin)
        {
            // Administrators: 20+ characters, must have digits and symbols.
            if (password.Length < 20)
            {
                errors.Add(new IdentityError
                {
                    Code = "AdminPasswordTooShort",
                    Description = "Administrator passwords must be at least 20 characters."
                });
            }

            if (!password.Any(char.IsDigit))
            {
                errors.Add(new IdentityError
                {
                    Code = "AdminPasswordRequiresDigit",
                    Description = "Administrator passwords must contain at least one digit."
                });
            }

            if (!password.Any(c => !char.IsLetterOrDigit(c)))
            {
                errors.Add(new IdentityError
                {
                    Code = "AdminPasswordRequiresSymbol",
                    Description = "Administrator passwords must contain at least one symbol."
                });
            }
        }
        else
        {
            // Editors/other users: standard 10 character minimum.
            // (Or could fallback to defaults here).
            if (password.Length < 10)
            {
                errors.Add(new IdentityError
                {
                    Code = "PasswordTooShort",
                    Description = "Password must be at least 10 characters."
                });
            }
        }

        return Task.FromResult(errors.Count > 0
            ? IdentityResult.Failed(errors.ToArray())
            : IdentityResult.Success);
    }
}

public class PasswordValidationComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.AddScoped<IPasswordValidator<BackOfficeIdentityUser>, GroupBasedPasswordValidator>();
    }
}

[simonech]

@nul800sebastiaan, with complexity I referred generically to all password settings, including length which is indeed the most effective.
Security is always a compromise: you cannot enforce enforce the same length for editors or writers that cannot even publish and for admins that can potentially unpublish the whole site.
I didn't know there was that password validation interface. I'll play with that. Thx @AndyButland.
And indeed password-less auth is a good thing to investigate as well.

[nul800sebastiaan]

I understand what you meant by complexity. Modern guidance says complexity rules most often produce predictable patterns and worse human choices, leading to easier password cracking.

Longer passwords are recommended, the default we have now of 10 is already too short, 15 is a better recommendation these days.
I agree that this is the recommendation specifically for privileged accounts but editors and writers, if compromised can update any and all content. Given enough time that would probably require a database restore to get back to a good state. Even if they can't publish, the work it would take to reject and revert malicious edits can be significant. So I would view them as having privileged accounts.