dantownsend
commented
1 month ago Which form of MFA would you recommend tackling next - email?
Open Skelmis opened 1 month ago
dantownsend
commented
1 month ago Which form of MFA would you recommend tackling next - email?
Skelmis
commented
1 month ago Ah sorry I wasn't entirely clear, I was originally meaning the ability to add multiple forms of MFA to a given account. So for example, adding two phones with different TOTP secrets so that if you lose a device your not locked out
dantownsend
commented
1 month ago OK makes sense. I couldn't find any clear guidance on best practices for multiple MFA devices. Should there be some cap? e.g. a max of 3?
If someone had loads then the login process slows down, because we have to check the codes for each device.
One 'hack' that some people is to scan the setup QR code with multiple devices. We could let the use see the setup QR code again, but again, not sure if that's good practice or not.
Skelmis
commented
1 month ago I don't think I've seen a cap anywhere either although I imagine something like five seems reasonable. And yea, that is something people can do although I wouldnt go showing the code again.
It's more so a thing that occurs when you want to setup multiple forms of MFA. For example I use a combination of TOTP and yubikeys
This will be a decent piece of work but supporting multiple forms of MFA will help mitigate things such as losing the MFA device while further aligning with best practice.