twofactor_gateway
twofactor_gateway copied to clipboard
Recovery keys
This just crosses my mind:
- user has setup a signal gateway (not sure how the implementations are handling new keys)
- user is using 2F
- user gets a new phone, installs Signal, get's new keys
- want's to login into Nextcloud
- gateway refused to send due to security constraints (keys are not matching)
When enabling 2F like this, we should probably spit out some recovery keys like with TOTP (if I remember).
gateway refused to send due to security constraints (keys are not matching)
Haven't found about that scenario but yes, this needs some error handling. Do you happen to know if the gateway will communicate this error via its REST API?
gateway refused to send due to security constraints (keys are not matching)
Generally, people should generate backup codes for these situations. However, we currently can't enforce that (yet).
Not sure if it's possible with the Signal app...anyway, we can add a notice on how to act in this case (manually deleting the file on the gateway).
I can catch the error and answer accordingly.
New version should return
{'success': False, 'error': 'remote identity is not trusted'}
in case it happens.