search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Allow a user's trust token for a MFA trusted device to be deleted #2706

Open mrudatsprint opened 2 months ago

mrudatsprint commented 2 months ago

Allow a user's trust token for a MFA trusted device to be deleted

Problem

Right now a user's trust token cannot be deleted in the admin UI or with the API.

Solution

Allow a user's trust token to be deleted in the admin UI or with the API.

Alternatives/workarounds

Additional context

A use case would be a client has lost a device or given it away and we would like to remove its trust token from FusionAuth.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan commented 2 months ago

In almost call cases, this type of workflow would need to be self-service. If a support interaction is required, it will be cost prohibitive for many clients.

The best option here is to have the user change their password. A second option would be to add this capability to the self-service account portal to allow users to self-service delete "remembered" devices that have 2FA trust.

If we were to add this to the self-service portal, we would need:

  1. A new API to revoke all MFA trusts for a user, or a single MFA trust by Id
  2. New themed pages in the self-service portal to manage MFA trusts

If we were to go this far, we would likely also want to add the option for users to manage their sessions (refresh tokens). These features would need to be managed by a policy to allow an administrator the option to enable or disable these features.

Netflix, and many similar consumer facing services offer this as a self-service option. We have the ability to manage user sessions via the admin UI or via API today. But we have not offered any self-service session management or similar options to revoke 2FA trust.

There is some risk of losing a device with a 2FA trust cookie, however, these trusts do have a TTL, and of course anyone with this value would also need to know the user's password.

So in the event that a user loses a device, changing your password protects you in the case that someone also knows your password, and it will implicitly revoke all 2FA trusts.