[2FA] Enforce 2FA for new accounts. (#9035)

Daniel Jacinto · web-flow · commit b2cb381becf7 · 2022-03-10T12:56:26.000-08:00
* Remove disable-enable 2FA button.

* Enable 2fa by default for new accounts.

* Link or replacing new accounts without 2FA enabled show error.

* Enable 2FA button

* fix current tests.

* Removed unecessary 2fa html.

* nit

* Added new tests for authentication controller.

* feature flag.

* fix enable/disable button logic.

* nit tests.

* fix Register enabling 2fa.

* improve UseAccountChangeExternalCredential and fix tests.

* nit.

* Removed non needed nullable references.

* Added test for enable on controller register method.

* Update EnableMultiFactorAuthentication on creation.
diff --git a/src/AccountDeleter/EmptyFeatureFlagService.cs b/src/AccountDeleter/EmptyFeatureFlagService.cs
@@ -141,6 +141,11 @@ public bool IsMarkdigMdRenderingEnabled()
             throw new NotImplementedException();
         }
 
+        public bool IsNewAccount2FAEnforcementEnabled()
+        {
+            throw new NotImplementedException();
+        }
+
         public bool IsODataDatabaseReadOnlyEnabled()
         {
             throw new NotImplementedException();
diff --git a/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs b/src/GitHubVulnerabilities2Db/Fakes/FakeFeatureFlagService.cs
@@ -274,5 +274,10 @@ public bool IsRecentPackagesNoIndexEnabled()
         {
             throw new NotImplementedException();
         }
+
+        public bool IsNewAccount2FAEnforcementEnabled()
+        {
+            throw new NotImplementedException();
+        }
     }
 }
diff --git a/src/NuGetGallery.Services/Authentication/AuthenticationService.cs b/src/NuGetGallery.Services/Authentication/AuthenticationService.cs
@@ -345,7 +345,7 @@ private async Task<Claim[]> GetUserLoginClaims(AuthenticatedUser user, bool wasM
                     .Where(cred => cred.IsExternal())
                     .Select(cred => cred.Identity)
                     .ToArray();
-                
+
                 var identityList = string.Join(" or ", externalIdentities);
                 ClaimsExtensions.AddExternalCredentialIdentityClaim(claims, identityList);
             }
@@ -365,7 +365,7 @@ private async Task<Claim[]> GetUserLoginClaims(AuthenticatedUser user, bool wasM
             return claims.ToArray();
         }
 
-        public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential, bool autoConfirm = false)
+        public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential, bool autoConfirm = false, bool enableMultiFactorAuthentication = false)
         {
             if (_config.FeedOnlyMode)
             {
@@ -392,7 +392,8 @@ public virtual async Task<AuthenticatedUser> Register(string username, string em
                 UnconfirmedEmailAddress = emailAddress,
                 EmailConfirmationToken = CryptographyService.GenerateToken(),
                 NotifyPackagePushed = true,
-                CreatedUtc = _dateTimeProvider.UtcNow
+                CreatedUtc = _dateTimeProvider.UtcNow,
+                EnableMultiFactorAuthentication = enableMultiFactorAuthentication
             };
 
             // Add a credential for the password
@@ -799,15 +800,15 @@ private async Task ReplaceCredentialInternal(User user, Credential credential)
             Func<Credential, bool> replacingPredicate;
             if (!string.IsNullOrEmpty(replaceCredPrefix))
             {
-                 replacingPredicate = cred => cred.Type.StartsWith(replaceCredPrefix, StringComparison.OrdinalIgnoreCase);
+                replacingPredicate = cred => cred.Type.StartsWith(replaceCredPrefix, StringComparison.OrdinalIgnoreCase);
             }
             else
             {
                 replacingPredicate = cred => cred.Type.Equals(credential.Type, StringComparison.OrdinalIgnoreCase);
             }
 
             var toRemove = user.Credentials
-                .Where(replacingPredicate) 
+                .Where(replacingPredicate)
                 .ToList();
 
             foreach (var cred in toRemove)
diff --git a/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/FeatureFlagService.cs
@@ -53,6 +53,7 @@ public class FeatureFlagService : IFeatureFlagService
         private const string DisplayTargetFrameworkFeatureName = GalleryPrefix + "DisplayTargetFramework";
         private const string ComputeTargetFrameworkFeatureName = GalleryPrefix + "ComputeTargetFramework";
         private const string RecentPackagesNoIndexFeatureName = GalleryPrefix + "RecentPackagesNoIndex";
+        private const string NewAccount2FAEnforcementFeatureName = GalleryPrefix + "NewAccount2FAEnforcement";
 
         private const string ODataV1GetAllNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllNonHijacked";
         private const string ODataV1GetAllCountNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllCountNonHijacked";
@@ -362,5 +363,10 @@ public bool IsRecentPackagesNoIndexEnabled()
         {
             return _client.IsEnabled(RecentPackagesNoIndexFeatureName, defaultValue: false);
         }
+
+        public bool IsNewAccount2FAEnforcementEnabled()
+        {
+            return _client.IsEnabled(NewAccount2FAEnforcementFeatureName, defaultValue: false);
+        }
     }
 }
diff --git a/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs b/src/NuGetGallery.Services/Configuration/IFeatureFlagService.cs
@@ -291,5 +291,10 @@ public interface IFeatureFlagService
         /// Whether or not recent packages has no index applied to block search engine indexing.
         /// </summary>
         bool IsRecentPackagesNoIndexEnabled();
+
+        /// <summary>
+        /// Whether or not to enforce 2FA for new external account link or replacement.
+        /// </summary>
+        bool IsNewAccount2FAEnforcementEnabled();
     }
 }
diff --git a/src/NuGetGallery/App_Data/Files/Content/flags.json b/src/NuGetGallery/App_Data/Files/Content/flags.json
@@ -32,6 +32,7 @@
     "NuGetGallery.ImageAllowlist": "Enabled",
     "NuGetGallery.ShowReportAbuseSafetyChanges": "Enabled",
     "NuGetGallery.ComputeTargetFramework": "Enabled",
+    "NuGetGallery.NewAccount2FAEnforcement": "Disabled"
   },
   "Flights": {
     "NuGetGallery.TyposquattingFlight": {
diff --git a/src/NuGetGallery/Controllers/AccountsController.cs b/src/NuGetGallery/Controllers/AccountsController.cs
@@ -56,6 +56,8 @@ public class ViewMessages
         protected IIconUrlProvider IconUrlProvider { get; }
 
         protected IGravatarProxyService GravatarProxy { get; }
+        
+        protected IFeatureFlagService FeatureFlagService { get; }
 
         private readonly DeleteAccountListPackageItemViewModelFactory _deleteAccountListPackageItemViewModelFactory;
 
@@ -71,7 +73,8 @@ public AccountsController(
             IMessageServiceConfiguration messageServiceConfiguration,
             IDeleteAccountService deleteAccountService,
             IIconUrlProvider iconUrlProvider,
-            IGravatarProxyService gravatarProxy)
+            IGravatarProxyService gravatarProxy,
+            IFeatureFlagService featureFlagService)
         {
             AuthenticationService = authenticationService ?? throw new ArgumentNullException(nameof(authenticationService));
             PackageService = packageService ?? throw new ArgumentNullException(nameof(packageService));
@@ -85,6 +88,7 @@ public AccountsController(
             DeleteAccountService = deleteAccountService ?? throw new ArgumentNullException(nameof(deleteAccountService));
             IconUrlProvider = iconUrlProvider ?? throw new ArgumentNullException(nameof(iconUrlProvider));
             GravatarProxy = gravatarProxy ?? throw new ArgumentNullException(nameof(gravatarProxy));
+            FeatureFlagService = featureFlagService ?? throw new ArgumentNullException(nameof(featureFlagService));
 
             _deleteAccountListPackageItemViewModelFactory = new DeleteAccountListPackageItemViewModelFactory(PackageService, IconUrlProvider);
         }
@@ -444,6 +448,7 @@ protected virtual void UpdateAccountViewModel(TUser account, TAccountViewModel m
 
             model.IsCertificatesUIEnabled = ContentObjectService.CertificatesConfiguration?.IsUIEnabledForUser(currentUser) ?? false;
             model.WasMultiFactorAuthenticated = User.WasMultiFactorAuthenticated();
+            model.IsNewAccount2FAEnforcementEnabled = FeatureFlagService.IsNewAccount2FAEnforcementEnabled();
 
             model.HasPassword = account.Credentials.Any(c => c.IsPassword());
             model.CurrentEmailAddress = account.UnconfirmedEmailAddress ?? account.EmailAddress;
diff --git a/src/NuGetGallery/Controllers/AuthenticationController.cs b/src/NuGetGallery/Controllers/AuthenticationController.cs
@@ -34,15 +34,12 @@ public partial class AuthenticationController
         : AppController
     {
         private readonly AuthenticationService _authService;
-
         private readonly IUserService _userService;
-
         private readonly IMessageService _messageService;
-
         private readonly ICredentialBuilder _credentialBuilder;
-
         private readonly IContentObjectService _contentObjectService;
         private readonly IMessageServiceConfiguration _messageServiceConfiguration;
+        private readonly IFeatureFlagService _featureFlagService;
         private const string EMAIL_FORMAT_PADDING = "**********";
 
         // Prioritize the external authentication mechanism.
@@ -57,14 +54,16 @@ public AuthenticationController(
             IMessageService messageService,
             ICredentialBuilder credentialBuilder,
             IContentObjectService contentObjectService,
-            IMessageServiceConfiguration messageServiceConfiguration)
+            IMessageServiceConfiguration messageServiceConfiguration,
+            IFeatureFlagService featureFlagService)
         {
             _authService = authService ?? throw new ArgumentNullException(nameof(authService));
             _userService = userService ?? throw new ArgumentNullException(nameof(userService));
             _messageService = messageService ?? throw new ArgumentNullException(nameof(messageService));
             _credentialBuilder = credentialBuilder ?? throw new ArgumentNullException(nameof(credentialBuilder));
             _contentObjectService = contentObjectService ?? throw new ArgumentNullException(nameof(contentObjectService));
             _messageServiceConfiguration = messageServiceConfiguration ?? throw new ArgumentNullException(nameof(messageServiceConfiguration));
+            _featureFlagService = featureFlagService ?? throw new ArgumentNullException(nameof(featureFlagService));
         }
 
         /// <summary>
@@ -295,12 +294,13 @@ public virtual async Task<ActionResult> Register(LogOnViewModel model, string re
                     }
 
                     usedMultiFactorAuthentication = result.LoginDetails?.WasMultiFactorAuthenticated ?? false;
+                    var enableMultiFactorAuthentication = _featureFlagService.IsNewAccount2FAEnforcementEnabled() ? true : usedMultiFactorAuthentication;
                     user = await _authService.Register(
                         model.Register.Username,
                         model.Register.EmailAddress,
                         result.Credential,
-                        (result.Credential.IsExternal() && string.Equals(result.UserInfo?.Email, model.Register.EmailAddress))
-                        );
+                        autoConfirm: (result.Credential.IsExternal() && string.Equals(result.UserInfo?.Email, model.Register.EmailAddress)),
+                        enableMultiFactorAuthentication: enableMultiFactorAuthentication);
                 }
                 else
                 {
@@ -507,6 +507,15 @@ public virtual async Task<ActionResult> LinkOrChangeExternalCredential(string re
                 return SafeRedirect(returnUrl);
             }
 
+            // All new linking or replacing accounts should have 2FA enabled.
+            if (_featureFlagService.IsNewAccount2FAEnforcementEnabled() && !result.UserInfo.UsedMultiFactorAuthentication)
+            {
+                return ChallengeAuthentication(
+                    Url.LinkOrChangeExternalCredential(returnUrl),
+                    result.Authenticator.Name,
+                    new AuthenticationPolicy() { Email = result.LoginDetails.EmailUsed, EnforceMultiFactorAuthentication = true });
+            }
+
             var newCredential = result.Credential;
             if (await _authService.TryReplaceCredential(user, newCredential))
             {
@@ -518,6 +527,16 @@ public virtual async Task<ActionResult> LinkOrChangeExternalCredential(string re
                 var usedMultiFactorAuthentication = result.LoginDetails?.WasMultiFactorAuthenticated ?? false;
                 await _authService.CreateSessionAsync(OwinContext, authenticatedUser, usedMultiFactorAuthentication);
 
+                // Update the 2FA if used during login but user does not have it set on their account.
+                if (result?.LoginDetails != null
+                    && usedMultiFactorAuthentication
+                    && !user.EnableMultiFactorAuthentication
+                    && CredentialTypes.IsExternal(result.Credential))
+                {
+                    await _userService.ChangeMultiFactorAuthentication(user, enableMultiFactor: true, referrer: "Authentication");
+                    OwinContext.AddClaim(NuGetClaims.EnabledMultiFactorAuthentication);
+                }
+
                 // Get email address of the new credential for updating success message
                 var newEmailAddress = GetEmailAddressFromExternalLoginResult(result, out string errorReason);
                 if (!string.IsNullOrEmpty(errorReason))
@@ -627,6 +646,14 @@ await _authService.CreateSessionAsync(OwinContext,
 
                 return SafeRedirect(returnUrl);
             }
+            else if (_featureFlagService.IsNewAccount2FAEnforcementEnabled() && CredentialTypes.IsExternal(result.Credential) && !result.LoginDetails.WasMultiFactorAuthenticated)
+            {
+                // Invoke the authentication again enforcing multi-factor authentication for the same provider.
+                return ChallengeAuthentication(
+                    Url.LinkExternalAccount(returnUrl),
+                    result.Authenticator.Name,
+                    new AuthenticationPolicy() { Email = result.LoginDetails.EmailUsed, EnforceMultiFactorAuthentication = true });
+            }
             else
             {
                 // Gather data for view model
@@ -703,13 +730,15 @@ internal bool ShouldEnforceMultiFactorAuthentication(AuthenticateExternalLoginRe
             // Enforce multi-factor authentication only if:
             // 1. The authenticator supports multi-factor authentication, otherwise no use.
             // 2. The user has enabled multi-factor authentication for their account.
-            // 3. The user authenticated with the personal microsoft account. AAD 2FA policy is controlled by the tenant admins.
-            // 4. The user did not use the multi-factor authentication for the session, obviously.
+            // 3. The user did not use the multi-factor authentication for the session, obviously.
+            // 4. The user authenticated with an external account (currently only MSA and AAD are supported).
+            // 5. If the 2FA enforcement for new accounts is enabled all external account types should be enforced (step 4 validated this).
+            //    If not, only user authenticated with a personal microsoft account is enforced. AAD 2FA policy is controlled by the tenant admins.
             return result.Authenticator.SupportsMultiFactorAuthentication()
                 && result.Authentication.User.EnableMultiFactorAuthentication
                 && !result.LoginDetails.WasMultiFactorAuthenticated
                 && result.Authentication.CredentialUsed.IsExternal()
-                && (CredentialTypes.IsMicrosoftAccount(result.Authentication.CredentialUsed.Type));
+                && (_featureFlagService.IsNewAccount2FAEnforcementEnabled() || CredentialTypes.IsMicrosoftAccount(result.Authentication.CredentialUsed.Type));
         }
 
         private string FormatEmailAddressForAssistance(string email)
diff --git a/src/NuGetGallery/Controllers/OrganizationsController.cs b/src/NuGetGallery/Controllers/OrganizationsController.cs
@@ -48,7 +48,8 @@ public OrganizationsController(
                   messageServiceConfiguration,
                   deleteAccountService,
                   iconUrlProvider,
-                  gravatarProxy)
+                  gravatarProxy,
+                  features)
         {
             _features = features ?? throw new ArgumentNullException(nameof(features));
         }
diff --git a/src/NuGetGallery/Controllers/UsersController.cs b/src/NuGetGallery/Controllers/UsersController.cs
@@ -69,7 +69,8 @@ public UsersController(
                   messageServiceConfiguration,
                   deleteAccountService,
                   iconUrlProvider,
-                  gravatarProxy)
+                  gravatarProxy,
+                  featureFlagService)
         {
             _packageOwnerRequestService = packageOwnerRequestService ?? throw new ArgumentNullException(nameof(packageOwnerRequestService));
             _config = config ?? throw new ArgumentNullException(nameof(config));
diff --git a/src/NuGetGallery/ViewModels/AccountViewModel.cs b/src/NuGetGallery/ViewModels/AccountViewModel.cs
@@ -26,6 +26,8 @@ public abstract class AccountViewModel
 
         public bool WasMultiFactorAuthenticated { get; set; }
 
+        public bool IsNewAccount2FAEnforcementEnabled { get; set; }
+
         public ChangeEmailViewModel ChangeEmail { get; set; }
 
         public ChangeNotificationsViewModel ChangeNotifications { get; set; }
diff --git a/src/NuGetGallery/Views/Users/_UserAccountChangeExternalCredential.cshtml b/src/NuGetGallery/Views/Users/_UserAccountChangeExternalCredential.cshtml
@@ -67,7 +67,7 @@
 
                     @Html.Hidden("enableMultiFactor", !Model.User.EnableMultiFactorAuthentication);
                     <div class="login-account-row">
-                        @if (Model.User.EnableMultiFactorAuthentication)
+                        @if (!Model.IsNewAccount2FAEnforcementEnabled && Model.User.EnableMultiFactorAuthentication)
                         {
                             <span class="col-sm-9"  style="padding: 0;">
                                 Two-factor authentication is currently enabled <i class="ms-Icon ms-Icon--CheckMark checkmark-icon" aria-hidden="true"></i>
@@ -79,7 +79,7 @@
                                 </button>
                             </span>
                         }
-                        else
+                        else if (!Model.User.EnableMultiFactorAuthentication)
                         {
                             <span class="col-sm-9"  style="padding: 0;">
                                 Two-factor authentication is currently disabled <i class="ms-Icon ms-Icon--Warning warning-icon" aria-hidden="true"></i>
diff --git a/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs b/src/VerifyMicrosoftPackage/Fakes/FakeFeatureFlagService.cs
@@ -118,5 +118,7 @@ public class FakeFeatureFlagService : IFeatureFlagService
         public bool IsComputeTargetFrameworkEnabled() => throw new NotImplementedException();
 
         public bool IsRecentPackagesNoIndexEnabled() => throw new NotImplementedException();
+
+        public bool IsNewAccount2FAEnforcementEnabled() => throw new NotImplementedException();
     }
 }
diff --git a/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs b/tests/NuGetGallery.Facts/Authentication/AuthenticationServiceFacts.cs
diff --git a/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/AuthenticationControllerFacts.cs

Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,11 @@ public bool IsMarkdigMdRenderingEnabled()`
`141`	`141`	`throw new NotImplementedException();`
`142`	`142`	`}`
`143`	`143`
	`144`	`+ public bool IsNewAccount2FAEnforcementEnabled()`
	`145`	`+ {`
	`146`	`+ throw new NotImplementedException();`
	`147`	`+ }`
	`148`	`+`
`144`	`149`	`public bool IsODataDatabaseReadOnlyEnabled()`
`145`	`150`	`{`
`146`	`151`	`throw new NotImplementedException();`
Original file line number	Diff line number	Diff line change
`@@ -274,5 +274,10 @@ public bool IsRecentPackagesNoIndexEnabled()`
`274`	`274`	`{`
`275`	`275`	`throw new NotImplementedException();`
`276`	`276`	`}`
	`277`	`+`
	`278`	`+ public bool IsNewAccount2FAEnforcementEnabled()`
	`279`	`+ {`
	`280`	`+ throw new NotImplementedException();`
	`281`	`+ }`
`277`	`282`	`}`
`278`	`283`	`}`
Original file line number	Diff line number	Diff line change
`@@ -345,7 +345,7 @@ private async Task<Claim[]> GetUserLoginClaims(AuthenticatedUser user, bool wasM`
`345`	`345`	`.Where(cred => cred.IsExternal())`
`346`	`346`	`.Select(cred => cred.Identity)`
`347`	`347`	`.ToArray();`
`348`		`-`
	`348`	`+`
`349`	`349`	`var identityList = string.Join(" or ", externalIdentities);`
`350`	`350`	`ClaimsExtensions.AddExternalCredentialIdentityClaim(claims, identityList);`
`351`	`351`	`}`
`@@ -365,7 +365,7 @@ private async Task<Claim[]> GetUserLoginClaims(AuthenticatedUser user, bool wasM`
`365`	`365`	`return claims.ToArray();`
`366`	`366`	`}`
`367`	`367`
`368`		`- public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential, bool autoConfirm = false)`
	`368`	`+ public virtual async Task<AuthenticatedUser> Register(string username, string emailAddress, Credential credential, bool autoConfirm = false, bool enableMultiFactorAuthentication = false)`
`369`	`369`	`{`
`370`	`370`	`if (_config.FeedOnlyMode)`
`371`	`371`	`{`
`@@ -392,7 +392,8 @@ public virtual async Task<AuthenticatedUser> Register(string username, string em`
`392`	`392`	`UnconfirmedEmailAddress = emailAddress,`
`393`	`393`	`EmailConfirmationToken = CryptographyService.GenerateToken(),`
`394`	`394`	`NotifyPackagePushed = true,`
`395`		`- CreatedUtc = _dateTimeProvider.UtcNow`
	`395`	`+ CreatedUtc = _dateTimeProvider.UtcNow,`
	`396`	`+ EnableMultiFactorAuthentication = enableMultiFactorAuthentication`
`396`	`397`	`};`
`397`	`398`
`398`	`399`	`// Add a credential for the password`
`@@ -799,15 +800,15 @@ private async Task ReplaceCredentialInternal(User user, Credential credential)`
`799`	`800`	`Func<Credential, bool> replacingPredicate;`
`800`	`801`	`if (!string.IsNullOrEmpty(replaceCredPrefix))`
`801`	`802`	`{`
`802`		`- replacingPredicate = cred => cred.Type.StartsWith(replaceCredPrefix, StringComparison.OrdinalIgnoreCase);`
	`803`	`+ replacingPredicate = cred => cred.Type.StartsWith(replaceCredPrefix, StringComparison.OrdinalIgnoreCase);`
`803`	`804`	`}`
`804`	`805`	`else`
`805`	`806`	`{`
`806`	`807`	`replacingPredicate = cred => cred.Type.Equals(credential.Type, StringComparison.OrdinalIgnoreCase);`
`807`	`808`	`}`
`808`	`809`
`809`	`810`	`var toRemove = user.Credentials`
`810`		`- .Where(replacingPredicate)`
	`811`	`+ .Where(replacingPredicate)`
`811`	`812`	`.ToList();`
`812`	`813`
`813`	`814`	`foreach (var cred in toRemove)`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ public class FeatureFlagService : IFeatureFlagService`
`53`	`53`	`private const string DisplayTargetFrameworkFeatureName = GalleryPrefix + "DisplayTargetFramework";`
`54`	`54`	`private const string ComputeTargetFrameworkFeatureName = GalleryPrefix + "ComputeTargetFramework";`
`55`	`55`	`private const string RecentPackagesNoIndexFeatureName = GalleryPrefix + "RecentPackagesNoIndex";`
	`56`	`+ private const string NewAccount2FAEnforcementFeatureName = GalleryPrefix + "NewAccount2FAEnforcement";`
`56`	`57`
`57`	`58`	`private const string ODataV1GetAllNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllNonHijacked";`
`58`	`59`	`private const string ODataV1GetAllCountNonHijackedFeatureName = GalleryPrefix + "ODataV1GetAllCountNonHijacked";`
`@@ -362,5 +363,10 @@ public bool IsRecentPackagesNoIndexEnabled()`
`362`	`363`	`{`
`363`	`364`	`return _client.IsEnabled(RecentPackagesNoIndexFeatureName, defaultValue: false);`
`364`	`365`	`}`
	`366`	`+`
	`367`	`+ public bool IsNewAccount2FAEnforcementEnabled()`
	`368`	`+ {`
	`369`	`+ return _client.IsEnabled(NewAccount2FAEnforcementFeatureName, defaultValue: false);`
	`370`	`+ }`
`365`	`371`	`}`
`366`	`372`	`}`
Original file line number	Diff line number	Diff line change
`@@ -291,5 +291,10 @@ public interface IFeatureFlagService`
`291`	`291`	`/// Whether or not recent packages has no index applied to block search engine indexing.`
`292`	`292`	`/// </summary>`
`293`	`293`	`bool IsRecentPackagesNoIndexEnabled();`
	`294`	`+`
	`295`	`+ /// <summary>`
	`296`	`+ /// Whether or not to enforce 2FA for new external account link or replacement.`
	`297`	`+ /// </summary>`
	`298`	`+ bool IsNewAccount2FAEnforcementEnabled();`
`294`	`299`	`}`
`295`	`300`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,8 @@ public OrganizationsController(`
`48`	`48`	`messageServiceConfiguration,`
`49`	`49`	`deleteAccountService,`
`50`	`50`	`iconUrlProvider,`
`51`		`- gravatarProxy)`
	`51`	`+ gravatarProxy,`
	`52`	`+ features)`
`52`	`53`	`{`
`53`	`54`	`_features = features ?? throw new ArgumentNullException(nameof(features));`
`54`	`55`	`}`