-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When to ask for the 2FA code / password? #171
Comments
I think a good default answer would be "whenever we ask you your password, we also ask you your second factor". |
Hmmm, well it is a very security tight behavior, but its more tight than what you do on GitHub.com for example. On GitHub.com, you are only asked about 2fa during signin, then as a confirmation when you are doing something sensitive you are asked for a password again. With #180 merged, I'm leaning towards aiming for just having a 2FA code be asked for during login and as a validation when setting up 2fa, but excluding asking for it when changing your/someone else's password. If you are an admin that wants to change 5 peoples password or similar, it would be trouble to write out 5 2fa codes I'd say btw. |
I'm also happy with just asking for 2FA on login. |
Conclusion - we aim for for this initially
|
Should we close this as a resolved topic as the actual actions would be represented by #168? |
I think that's reasonable. |
When is it reasonable to ask for a 2FA code and/or password?
I've seen several examples where you need to validate your password, and perhaps also with a 2fa code, when about to change something critical. Perhaps we want such validations on attempts to change passwords or similar? I'm not sure what I think, but its a question to consider that was raised by @lambdaTotoro in #167 (comment).
The text was updated successfully, but these errors were encountered: