FR: add option for additional 2FA verification for elevated session #6963
Labels
priority/4/normal
Normal priority items
status/needs-design
Requires thoughtful design
type/feature
Request for adding a new feature
Comments
ikiris
added
priority/4/normal
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Yeah no worries, we can add this if it's specifically for elevation of a session and would welcome a PR provided the integration tests cover it. |
james-d-elliott
changed the title
james-d-elliott
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Email alone is not a useful security factor, if anything it is a hijack vulnerability for a compromised client (similar to SMS). This is a summarized version of some public hijackings like some of the icloud hijacks.
As such I have configured require 2fa and skip for elevated sessions. The problem is that require 2fa currently only requires the session to have been 2fa'd and not specifically requiring the elevated session and/or action requested to be 2fa'd. As a result, it is possible for a 3rd party to backdoor a client and add a 2fa token without requiring a 2fa hit if a backdoored client has an active 2fa SSO session.
The tldr request is to be able to require a 2fa verification specifically for the elevated session (or at least for the act of adding a 2fa token) instead of just accepting that there is an existing SSO session that was 2fa'd at its beginning.
Use Case
see description. TLDR this is a request to be able to require true physical 2fa verification to add additional 2fa tokens
Details
see description
Documentation
see description
Pre-Submission Checklist
I agree to follow the Code of Conduct
I have checked for related issues and checked the documentation
The text was updated successfully, but these errors were encountered: