Is there a way to require 2Fa for users only of a specific user permissions group?
For example I want all users who access App X to use 2fa, but users who access App Y do not need to.
Or for example I do not want to require external users to have 2fa but all organization users should.
If you add the users into the group and then just have those users be required to use 2FA I think that's the only way you can do it from what I can tell....not optimum imho but it works....had to do something similar for "All Users" group
Hi @kyleteal,
I can confirm @ScottR's approach is likely the best the way to implement your use case. Unless you want to go the resource permissions route.
Permissions are controlled at the resource level, and on the permission group level.
On the group permission level, ability to use/edit/own an app is controlled based on their group.
If app X and Y could use the same resource, you could duplicate resources to change their permissions based on which app they are in. If they use different resource, you wouldn't need to duplicate.
Not crazy hard, as resources can be duplicated with one click, just not DRY and harder to scale with apps that have many resources.
If you know which users will be using which apps, then groups may be easier to set once and then just control who is is which group.
Perhaps I am misunderstanding but what does this have to do with 2 factor authentication?
The goal is to require all users who access specific apps to have 2Fa enabled and required, but users of another permission group to not have that be a requirement.
The reason for this need is that I want all users in our organization to have 2Fa enabled, but I dont want that requirement to extend to external users.
Ah yes my apologies, I read that incorrectly 
Looking at the docs on 2FA, it seems that it either needs to be on or off for the entire org.
But, as noted in the docs, if on an enterprise plan, you could have 2FA turned off, and then have members of your team 'opt in' to that they have 2FA on their accounts.
Let me check internally as well to see if our docs are missing anything related to this for "external users" as external apps are a newer feature and it makes sense to not need them to 2FA in but for team members that are app builders to have that level of security.
Hi @kyleteal,
Just checked with the team and to clarify, you don't have to be on ENT or have to apply 2FA as either all or none.
Individual users just need to opt into 2FA for themselves if they want to have that level of security on their account to log into the Retool org.
They can do this under 'Personal'->'Account' from settings to get to /settings/account.
There isn't a way to 'assign' out 2FA onto org users they have to opt in and set it up themselves.
