search

beromir / Servas

A self-hosted bookmark management tool.
https://servas.app
GNU General Public License v3.0
563 stars 32 forks source link

Ensure that MFA has been setup before enabling it in the user account #23

Closed JonTheNiceGuy closed 2 years ago

JonTheNiceGuy commented 2 years ago

The existing workflow is:

As a user, access profile settings, select "enable" on the multi-factor setting. Done.

While this is very low-impact, this means that you may potentially lock the user out if this was not enabled correctly (perhaps the user's browser session was interrupted, or the page didn't render properly). Instead, the workflow should be:

  1. Select "enable" on the multi-factor setting.
  2. Setup the MFA secret on the authenticator.
  3. Enter an MFA code into the settings page to confirm.

This will ensure that the MFA has been setup in the MFA application.

beromir commented 2 years ago

Thank you for the feature request. This is indeed a better workflow to prevent locking out of your own account.

You will now need to enter the OTP to complete the 2FA setup.

beromir commented 2 years ago

It seems that you need to re-enable 2FA for your account. Until then, your account is not secured with 2FA. Sorry for that.