kratos icon indicating copy to clipboard operation
kratos copied to clipboard

Published 20 hours ago verified publisher icon ory

Webauthn passwordless and 2fa can be used to lock account

Open Benehiko opened this issue 2 years ago • 2 comments

Preflight checklist

Describe your problem

Since an email address needs to be unique, an attacker could lock the account that has no access to the email address.

When Webauthn passwordless is setup the attacker can use it to lock the individuals account since it prevents the recovery flow from succeeding.

The same can happen when using 2FA hardware keys and backup codes. We can link a yubikey to an account, create backup codes and unlink the yubikey (keeping the backup codes). When the real user tries to recover the account they will be required to enter a backup code.

Describe your ideal solution

Workarounds or alternatives

Version

v0.10.1

Additional Context

Discussed in https://github.com/ory/kratos/discussions/2655

Originally posted by alantbarlow August 10, 2022 I want to require email verification during the registration process. The flow I want to do is the following,

  1. The user submits an email address for verification.
  2. The user verifies the email address
  3. The user finishes registration by selecting login method (Webauthn)

Im wanting these steps to occur before the user is registered. It sounds like the verification can only happen on "known" addresses which defeats the purpose of email verification. I need to be able to prevent sign-up with an un-verified email address.

Im also wanting to do something similar for the user changing their email address. From what I can see is that also is not possible for the same reason. I want the email to be verified before persisting the address into the database. That means before registration or before updating the registered email address.

Can you please let me know if this is possible?

Benehiko avatar Aug 10 '22 14:08 Benehiko