Open consideRatio opened 2 years ago
I'm on board with letting already registered users sign up for 2FA, if it is enabled. I can also see the benefit of divorcing it from signup (however, we have to make sure that users know about where to find their 2FA token in their first session), both in general and for the benefit of #72.
Could you elaborate on when exactly the system would ask for the 2FA code, when it isn't part of the login anymore (that's the way I read your proposal)? On changing your password, maybe (see also #170) but where else?
We should also spend some thoughts on what happens when a user loses their 2FA factor and how admins can or could potentially help with that.
Could you elaborate on when exactly the system would ask for the 2FA code, when it isn't part of the login anymore (that's the way I read your proposal)?
(however, we have to make sure that users know about where to find their 2FA token in their first session)
Absolutely, I'm thinking that signup is a two step process for whoever required or opting to setup 2fa directly on sign up:
On changing your password, maybe (see also #170) but where else?
Ah a relevant consideration, I want to avoid spreading the discussion towards something that can be done in a dedicated smaller scope. I created #171 to represent this consideration instead.
We should also spend some thoughts on what happens when a user loses their 2FA factor and how admins can or could potentially help with that.
Yepp, lets create a dedicated issue for this also: #172. This is another motivation to separate the signup page from the setting a 2fa setup page.
I understand it as we have some agreement that it would be a reasonable direction to head in: to do this refactoring where the 2fa setup and 2fa code validation is extracted from the login page and the signup page, but not necessarily the login flow or signup flow - just the actual pages we render to the user as part of the login/signup flow.
It would be good to allow already registered users to register for 2FA authentication.
To implement this, I bet its relevant to setup dedicated handlers for the 2FA matters. Currently we have providing a code to be part of the login screen, and part of setting up 2FA part of the signup screen. If we would allow users to enable 2FA after they are created, we don't want to forcefully tweak the signup handler to manage this as it would add too much complexity. It would be better to have a dedicated screen to both setup 2FA and to enter a 2FA code I think.
I see no reason for this to be backward incompatible, but it will probably be a quite significant in size PR.
Action points (chronological order)
Related
72
This is held back by the current 2FA UX where a user that is signing up must first register their code in their 2FA application. If we solve this and #168 first, we can make this quite easy I think.
168
155
153
152