Page MenuHomePhabricator

OATH (2FA) needs an option to remember device but not keep user logged in
Open, Needs TriagePublic

Description

In the current implementation of two-factor authentication (OATH, 2FA), if a user has 2FA enabled, every time they log in they need to generate a token, regardless of whether the device is known to the server or not.

The only way to avoid needing a token every time is to keep the user logged in, which creates a perverse incentive that reduces security.

There should be an option to add a device as a trusted device but not keep the user logged in, so that a user can log out and log back in using password only. This would be useful for e.g. home and workspace computers, where other human beings may have physical access to the same device, but the combination of the device and the password can be deemed sufficient to authenticate a user.