Separate recovery codes into a separate MFA method
Open, Needs TriagePublic
Actions

Description

With WebAuthn approaching, it might be worth to separate the Recovery codes from OATHAuth into a separate MFA authentication module and detach if from the TOTP method as WebAuthn does not have a recovery method of its own.

Related Objects

Mentioned In: T244348: Recovery option for Webauthn
T242031: Allow multiple different 2FA devices
Mentioned Here: T150601: Add option to generate new set of scratch codes
T218214: SO878 Step 3: Finalize settings and user experience

Event Timeline

TheDJ created this task.Sep 9 2019, 1:47 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2019, 1:47 PM

I think then having this "backup/recovery code" module to be enable if one (or more) MFA methods are enabled... Makes complete sense

This might make T150601: Add option to generate new set of scratch codes easier too

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

We have a decent size blob we can use though...

In T232336#5476334, @TheDJ wrote:

One problem, the current database structure only allows one set of 2fa credentials per user.... :(
id int(11) PK
where id is user_id

I do wonder if we can drop the module column, and just have that as part of the data....

AntiCompositeNumber added a subscriber: AntiCompositeNumber.Jan 6 2020, 9:34 PM

Paladox added a subscriber: Paladox.Jan 6 2020, 9:40 PM

Reedy mentioned this in T242031: Allow multiple different 2FA devices.Jan 6 2020, 9:47 PM

Reedy mentioned this in T244348: Recovery option for Webauthn.Wed, Feb 5, 6:57 PM

Separate recovery codes into a separate MFA methodOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

Separate recovery codes into a separate MFA method
Open, Needs TriagePublic
Actions