Improve two-factor authentication setup

cozy / cozy-home-v2

This repository was part of CozyV2 which has been deprecated

https://blog.cozycloud.cc/post/2016/11/21/On-the-road-to-Cozy-version-3

GNU Affero General Public License v3.0

94 stars 53 forks source link

Improve two-factor authentication setup #764

Open alpha14 opened 8 years ago

alpha14 commented 8 years ago

The system should ask a confirmation token when enabling 2fa. If the user disconnects straight away from his cozy, it locks him out.

babolivier commented 8 years ago

Hi @alpha14,

Thanks for the suggestion! That solves a question I was asking myself for a few days now. I'm currently working on implementing recovery tokens into Cozy's 2FA mechanism, and will start implementing your idea right after.

babolivier commented 8 years ago

As @ZeHiro just suggested on IRC, we could add to that a request for the password, to prevent the case of someone exploiting an open connection (for example if you forgot to log out of a computer) to enable 2FA and lock you out of Cozy. In brief, we ask the user for a "blank" 2FA to test if everything's OK. Also just in case, we can do that on disabling 2FA too, to prevent an unwanted downgrade of security.