Page MenuHomePhabricator

Separate recovery codes into a separate MFA method
Open, Needs TriagePublic

Description

With WebAuthn approaching, it might be worth to separate the Recovery codes from OATHAuth into a separate MFA authentication module and detach if from the TOTP method as WebAuthn does not have a recovery method of its own.

See also: T218214#5474912

Event Timeline

TheDJ created this task.Sep 9 2019, 1:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2019, 1:47 PM
Reedy added a subscriber: Reedy.Sep 9 2019, 4:33 PM

I think then having this "backup/recovery code" module to be enable if one (or more) MFA methods are enabled... Makes complete sense

This might make T150601: Add option to generate new set of scratch codes easier too

TheDJ added a comment.EditedSep 9 2019, 7:28 PM

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

Reedy added a comment.Sep 9 2019, 7:40 PM

We have a decent size blob we can use though...

One problem, the current database structure only allows one set of 2fa credentials per user.... :(
id int(11) PK
where id is user_id

I do wonder if we can drop the module column, and just have that as part of the data....

Paladox added a subscriber: Paladox.Jan 6 2020, 9:40 PM