Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backup codes shouldn't be sufficient to enable MFA #27

Open
justinmayer opened this issue Feb 4, 2018 · 1 comment
Open

Backup codes shouldn't be sufficient to enable MFA #27

justinmayer opened this issue Feb 4, 2018 · 1 comment

Comments

@justinmayer
Copy link

Backup codes by themselves are not a good option for multi-factor authentication, and yet at present it is too easy for users to generate backup codes and, in the process, enable backup-code-only MFA.

I can think of two changes that would help mitigate this:

  1. Change the default templates such that backup code generation links are not displayed until either U2F or TOTP is enabled.

  2. Remove backup codes from the requires_two_factor function.

While (1) above may be sufficient to avoid the problem in most cases, I'm having a difficult time understanding why someone would want backup-code-only MFA, which is why I proposed (2) as well. That said, perhaps I'm missing something — if so, please enlighten me. ☺️

@gavinwahl: What do you think?
@rechner
Copy link
Contributor

rechner commented Dec 17, 2018
edited
Loading

#36 is a start to address point 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rechner @justinmayer