mokey icon indicating copy to clipboard operation
mokey copied to clipboard

Published 20 hours ago verified publisher icon ubccr

RFC: Send reset token code via SMS

Open ghost opened this issue 7 years ago • 2 comments
trafficstars

This is an excellent piece of software that fits our requirements well, and it's also written in GO, kudos !

We believe a new version might be released soon ? We wanted to check with you if there are plans to add sending reset tokens via SMS to a phone number that is (pre)-stored in FreeIPA. For instance via a specialized online SMS service, or a mail-to-SMS gateway, or simply by calling a webhook that does whatever dirty work is behind it.

To give you an idea, our workflow is as follows:

  • User joins the firm
  • HR systems gets to work, also interacting with the API of FreeIPA to create the user object and their related information (name, e-mail address, e-mail address alias, phone number, dummy password)
  • The username / password is communicated to the user

From that moment onwards the user can access their e-mail box, change / reset their password via Mokey, or access any other services. However this is only done after communicating the username / password combination to a user, via paper or via phone, rather cumbersome and not the safest option.

We were therefore thinking of amending this workflow by having a HR system user add trigger a Mokey registration sequence where Mokey looks up a phone number and sends a registration / reset token to the user's phone number that it can pull from FreeIPA. (the user will already have a mobile phone handed over to them, so it seems the most ideal / more secure self-service option)

Not sure what is feasible and if there is anything we can do to help you with this potential new feature. We're engineers, so certainly no GO developers ;-)

We'd love to hear your thoughts and regardless recommend Mokey (over PWM) for every FreeIPA environment in need of the functionality it offers.

ghost avatar Aug 30 '18 11:08 ghost

Sending tokens via SMS would be an interesting feature. No current plans to implement this but will give it some thought. The new version of mokey allows for user sign ups which may help your use case. You can require users to verify their email address before their account is enabled.

aebruno avatar Sep 12 '18 17:09 aebruno

If you add SMS verification, please also add in the ability to turn that off and set it as disabled by default. While convenient, SMS is among the least secure verification available.

gah242s avatar Feb 13 '20 16:02 gah242s