search

kind-work / two-fa

Two Factor Login for Statamic V3
https://statamic.com/marketplace/addons/2fa
Other
3 stars 5 forks source link

Disable 2FA without code #16

Closed rrelmy closed 3 years ago

rrelmy commented 3 years ago

A super admin should be able to disable already set-up 2fa of users to support them if the have lost their second factor.

Currently there are only two ways to disable 2FA of an user:

  1. Disable it with a valid code (usually not possible for user admins)
  2. Edit the users file manually

Ideally a separate user permission for non super-admin exists.

jcohlmeyer commented 3 years ago

Yes, currently the way to disable 2FA for another user (if you have permission to edit a users password requires the users 2FA code). The main way I was thinking support for this case would happen would be to edit the users file directly.

However, all admins may not have access, or ability to Edith the users file manually.

Therefore I think it is reasonable that users should be able to disable 2FA for another user.

Do you think an admin should have to enter their own 2FA code to disable 2FA for another user, as an additional layer of security?

rrelmy commented 3 years ago

I would say that is a reasonable layer of security 👍