Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reauth 2nd factor to change 2FA settings #484

Closed
iandunn opened this issue Oct 19, 2022 · 1 comment · Fixed by #529
Closed

Reauth 2nd factor to change 2FA settings #484

iandunn opened this issue Oct 19, 2022 · 1 comment · Fixed by #529
Assignees
Milestone

Comments

@iandunn
Copy link
Member

iandunn commented Oct 19, 2022

Most sites w/ strong 2FA require re-authorizing the 2nd factor in order to make any changes to 2FA settings. Without that, certain types of attacks could disable 2FA, add unauthorized keys, etc.

For convenience, there could be a ~5 minute time window when re-auth isn't required, similar to sudo in Unix-based systems.

Related #476

@dd32
Copy link
Member

dd32 commented Nov 3, 2022

In order to facilitate this, having a cookie set that contains the last-time that 2FA was processed would be beneficial.

The redirect code in #490 may also be beneficial here, as with some validation of said cookie, could require re-auth to continue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants