Is your feature request related to a problem? Please describe.
When setting up 2FA, the user sees the the TOTP setup QR code and confirms with a click on "FINISH". When the user clicks on "FINISH", TacticalRMM saves the TOTP base code, without verifying that the user actually has it set up successfully on their end. If the user, for any reason, was not able to set up 2FA successfully, they are now locked out of their account since TacticalRMM asks for 2FA confirmation on the next login.
Describe the solution you'd like
After showing the user the TOTP secret code/QR code, before the user can confirm that they have set up MFA, the user should be required to enter the current TOTP code generated from the currently shown TOTP secret. Only after this confirmation should the 2FA settings for the user be updated.
To streamline this, the confirmation could look as follows:
below the clean text TOTP secret, above the "FINISH" button, there could be a numbers-only text input field labeled "Enter your new TOTP code:"
when a user clicks "finish", the code is sent to the server and verified against the not-yet-saved TOTP secret
if the verification fail, the user stays on the page to set up 2FA and is confronted with an error message indicating that the TOTP-code entered was wrong
if the verification is successfull, the TOTP secret gets saved for the user in TacticalRMM. the user is redirected to the login page
Describe alternatives you've considered
No alternatives have come to mind.
Additional context
TacticalRMM is the first service I have encountered that activates 2FA without verifying that it actually works.
Is your feature request related to a problem? Please describe. When setting up 2FA, the user sees the the TOTP setup QR code and confirms with a click on "FINISH". When the user clicks on "FINISH", TacticalRMM saves the TOTP base code, without verifying that the user actually has it set up successfully on their end. If the user, for any reason, was not able to set up 2FA successfully, they are now locked out of their account since TacticalRMM asks for 2FA confirmation on the next login.
Describe the solution you'd like After showing the user the TOTP secret code/QR code, before the user can confirm that they have set up MFA, the user should be required to enter the current TOTP code generated from the currently shown TOTP secret. Only after this confirmation should the 2FA settings for the user be updated.
To streamline this, the confirmation could look as follows:
Describe alternatives you've considered No alternatives have come to mind.
Additional context TacticalRMM is the first service I have encountered that activates 2FA without verifying that it actually works.