Open Half-Shot opened 5 years ago
In the same spirit we should also look to things like TOTP
In the same spirit we should also look to things like TOTP
100% yes!
Full webauthn support with email reporting of suspicious activity would be preferred. Relevant to: #2460
Description: Most services seem to implement this to alert users to break-ins. We should consider at least support sending a notification and optionally locking the account until verified through email or another medium.
It's not a major problem if people don't re-use passwords, but it happens.
To break this down further, I'd like to propose having different levels of security ranging from just checking if the user has signed in from a different region, to checking if the users IP address has changed. This would be useful for people who want a paranoid mode.
In terms of spec, this would require the concept of an account being "locked" as well as an
account_data
type which could store the security level required to trigger a lock. I've mentioned it in synapse first because a server-level alert only (not locking the account) config option would require no spec changes.