codingllama
commented
1 year ago (FYI @kimlisa, as the account recovery expert.)
Open codingllama opened 1 year ago
codingllama
commented
1 year ago (FYI @kimlisa, as the account recovery expert.)
codingllama
commented
1 year ago As said in the text, multiple devices and/or passkeys are the best solution to this, as they would avoid the account being lost in the first place. We could look into UX improvements that would encourage users to look in that direction as a way to prevent lockouts. (FYI @xinding33)
That said, if we are to do further changes an RFD is in order.
What would you like Teleport to do?
Account Recovery flows, in a simplified explanation, exchange a recovery code for either a password reset or an MFA device registration. This implies that the user is in possession of at least one authn factor, either the password or an MFA device.
Passwordless-exclusive users rely on a secure device for both factors - if said device is lost, and is the sole registered device, then they can present nothing else. This issue is heightened in face of feature requests such as #19671 and #13219.
There are two current mitigations, which are actually the best scenarios as well: 1. registering additional passwordless devices and/or 2. using passkeys. Additional devices help as long as all devices aren't lost at the same time; passkeys help because the user could "recover" the passkey via the service that holds it.
What problem does this solve?
Account recovery for passwordless-exclusive accounts.
If a workaround exists, please include it.
Workarounds explained above.