Open mrudatsprint opened 2 months ago
In almost call cases, this type of workflow would need to be self-service. If a support interaction is required, it will be cost prohibitive for many clients.
The best option here is to have the user change their password. A second option would be to add this capability to the self-service account portal to allow users to self-service delete "remembered" devices that have 2FA trust.
If we were to add this to the self-service portal, we would need:
If we were to go this far, we would likely also want to add the option for users to manage their sessions (refresh tokens). These features would need to be managed by a policy to allow an administrator the option to enable or disable these features.
Netflix, and many similar consumer facing services offer this as a self-service option. We have the ability to manage user sessions via the admin UI or via API today. But we have not offered any self-service session management or similar options to revoke 2FA trust.
There is some risk of losing a device with a 2FA trust cookie, however, these trusts do have a TTL, and of course anyone with this value would also need to know the user's password.
So in the event that a user loses a device, changing your password protects you in the case that someone also knows your password, and it will implicitly revoke all 2FA trusts.
Allow a user's trust token for a MFA trusted device to be deleted
Problem
Right now a user's trust token cannot be deleted in the admin UI or with the API.
Solution
Allow a user's trust token to be deleted in the admin UI or with the API.
Alternatives/workarounds
Additional context
A use case would be a client has lost a device or given it away and we would like to remove its trust token from FusionAuth.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.