piccolo_admin icon indicating copy to clipboard operation
piccolo_admin copied to clipboard

Published 20 hours ago verified publisher icon piccolo-orm

Support multiple forms of MFA

Open Skelmis opened this issue 1 year ago • 4 comments

This will be a decent piece of work but supporting multiple forms of MFA will help mitigate things such as losing the MFA device while further aligning with best practice.

Skelmis avatar Oct 13 '24 22:10 Skelmis

Which form of MFA would you recommend tackling next - email?

dantownsend avatar Oct 15 '24 15:10 dantownsend

Ah sorry I wasn't entirely clear, I was originally meaning the ability to add multiple forms of MFA to a given account. So for example, adding two phones with different TOTP secrets so that if you lose a device your not locked out

Skelmis avatar Oct 16 '24 07:10 Skelmis

OK makes sense. I couldn't find any clear guidance on best practices for multiple MFA devices. Should there be some cap? e.g. a max of 3?

If someone had loads then the login process slows down, because we have to check the codes for each device.

One 'hack' that some people is to scan the setup QR code with multiple devices. We could let the use see the setup QR code again, but again, not sure if that's good practice or not.

dantownsend avatar Oct 16 '24 15:10 dantownsend

I don't think I've seen a cap anywhere either although I imagine something like five seems reasonable. And yea, that is something people can do although I wouldnt go showing the code again.

It's more so a thing that occurs when you want to setup multiple forms of MFA. For example I use a combination of TOTP and yubikeys

Skelmis avatar Oct 17 '24 04:10 Skelmis