You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Email alone is not a useful security factor, if anything it is a hijack vulnerability for a compromised client (similar to SMS). This is a summarized version of some public hijackings like some of the icloud hijacks.
As such I have configured require 2fa and skip for elevated sessions. The problem is that require 2fa currently only requires the session to have been 2fa'd and not specifically requiring the elevated session and/or action requested to be 2fa'd. As a result, it is possible for a 3rd party to backdoor a client and add a 2fa token without requiring a 2fa hit if a backdoored client has an active 2fa SSO session.
The tldr request is to be able to require a 2fa verification specifically for the elevated session (or at least for the act of adding a 2fa token) instead of just accepting that there is an existing SSO session that was 2fa'd at its beginning.
Use Case
see description. TLDR this is a request to be able to require true physical 2fa verification to add additional 2fa tokens
Yeah no worries, we can add this if it's specifically for elevation of a session and would welcome a PR provided the integration tests cover it.
james-d-elliott
changed the title
FR: Require (or at least add option to) additional 2FA verification to add 2fa token if require 2fa configured for elevated session
FR: add option for additional 2FA verification to add 2fa token if require 2fa configured for elevated session
Mar 19, 2024
james-d-elliott
changed the title
FR: add option for additional 2FA verification to add 2fa token if require 2fa configured for elevated session
FR: add option for additional 2FA verification for elevated session
Mar 19, 2024
Description
Email alone is not a useful security factor, if anything it is a hijack vulnerability for a compromised client (similar to SMS). This is a summarized version of some public hijackings like some of the icloud hijacks.
As such I have configured require 2fa and skip for elevated sessions. The problem is that require 2fa currently only requires the session to have been 2fa'd and not specifically requiring the elevated session and/or action requested to be 2fa'd. As a result, it is possible for a 3rd party to backdoor a client and add a 2fa token without requiring a 2fa hit if a backdoored client has an active 2fa SSO session.
The tldr request is to be able to require a 2fa verification specifically for the elevated session (or at least for the act of adding a 2fa token) instead of just accepting that there is an existing SSO session that was 2fa'd at its beginning.
Use Case
see description. TLDR this is a request to be able to require true physical 2fa verification to add additional 2fa tokens
Details
see description
Documentation
see description
Pre-Submission Checklist
I agree to follow the Code of Conduct
I have checked for related issues and checked the documentation
The text was updated successfully, but these errors were encountered: