search

rcpch / rcpch-audit-engine

Epilepsy12 Audit Platform
https://e12.rcpch.ac.uk/
GNU Affero General Public License v3.0
5 stars 5 forks source link

allow RCPCH users to reset 2FA #905

Closed AmaniKrayemRCPCH closed 3 months ago

AmaniKrayemRCPCH commented 4 months ago

E.g. if a user loses their phone.

At the moment, I remove the phone authentication method as a superuser. It would be helpful if other RCPCH staff can do this.

Otherwise, a way for users to complete 2FA if they don't have access to their phone would also be helpful.

mbarton commented 4 months ago

a way for users to complete 2FA if they don't have access to their phone would also be helpful

Long term I think we should additionally support passkeys: https://www.tomsguide.com/news/what-are-passkeys. iOS and Android synchronise them across your devices so you'd be able to log in with anything logged in to your Apple ID or Google account.

We would still need a way to reset the users 2fa manually. As part of this we should also do an additional factor check, eg a one time email link as we won't practically be able to verify the users identity when they request the reset.

eatyourpeas commented 3 months ago

This is now fixed but I will use @mbarton's suggestion to create a separate issue for the longer term road map