In order to improve the security of the 2FA solution, it would be beneficial to add (optional) authentication for disabling 2FA and accessing the backup token page.
Expected Behavior
Users should provide additional authentication when disabling 2FA or accessing the backup token page. This can be either the users password, an OTP or even both (could be a setting)
Current Behavior
Currently a user can disable 2FA in an authenticated session without having to provide any additional authentication before changing this important security setting.
Possible Solution
The form for disabling 2FA should contain additional inputs for the users password or for a OTP token depending on the configuration.
moggers87
commented
2 years ago
In order to improve the security of the 2FA solution, it would be beneficial to add (optional) authentication for disabling 2FA and accessing the backup token page.
Expected Behavior
Users should provide additional authentication when disabling 2FA or accessing the backup token page. This can be either the users password, an OTP or even both (could be a setting)
Current Behavior
Currently a user can disable 2FA in an authenticated session without having to provide any additional authentication before changing this important security setting.
Possible Solution
The form for disabling 2FA should contain additional inputs for the users password or for a OTP token depending on the configuration.
Context
Improve security of the Django 2FA implementation
Your Environment