nerdstein
commented
8 years ago The same could be said for the Masquerade module, but that would be after a user is logged in
Open aweingarten opened 8 years ago
nerdstein
commented
8 years ago The same could be said for the Masquerade module, but that would be after a user is logged in
nerdstein
commented
8 years ago @aweingarten --- what do you think the best way to solve this is? clearly we need to keep the security intact but walk us through what you think would be a good means for resolving this.
nerdstein
commented
8 years ago We need a permission that bypasses the secondary password check if you have the permission.
Basically, as an admin, I could be granted a "manage user tfa" permission which would NOT prompt me for a secondary password check
aweingarten
commented
8 years ago We already have an "Administer users" permission which is used to manage users and password. Can reuse that.
Keep "Administer TFA" for the global site wide settings.
therealssj
commented
8 years ago yes, administer users seems to be better, was just writing that.
It is already used in TFA at some positions.
nerdstein
commented
8 years ago I like that idea.
Currently a user must login as an admin, attempt to turn it off 2fa for a user, get prompted for a password and then enter the password.
Its impossible to do this for an admin that relies on
drush ulito turn off 2fa. You get prompted for a password you don't know! Administrators should be able to disable 2fa without being prompted for a password.