On first login, validate the just-entered mobile number

PhilanthropyDataCommons / auth

PDC related extensions that were made for the keycloak auth service

1 stars 1 forks source link

On first login, validate the just-entered mobile number #24

Open bickelj opened 1 year ago

bickelj commented 1 year ago

On the first login flow, the user has no mobile number with which to use as another factor of authentication, and the user enters that mobile number. On subsequent logins, 2FA is active, but that first login does not (yet) require validation of the mobile number.

The mobile number should be validated via OTP on first login somehow.

reefdog commented 1 year ago

Gonna add a framing requirement that will probably require onerous special-casing of auth logic, but:

Until the user provides and confirms their 2FA, they shouldn't actually be able to use their authentication to do anything. (I clarify that last point so we don't get in the weeds on what actually constitutes authentication.)

kfogel commented 4 months ago

This seems related to issue #5 though not exactly a dup of it.