Adding a Reset 2FA to Users in the Control Panel #16681
-
|
I've run across a scenario where a user acquires a new mobile device and had trouble resetting their 2FA in Craft 5. I understand it's possible to reset 2FA as a developer with the Here is a screenshot to illustrate, thanks for considering! 
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
We’ve discussed this before, but it introduces a major security vulnerability, as it would be relatively easy to convince someone with the proper permissions to press it, without properly verifying that they are who they say they are first. |
Beta Was this translation helpful? Give feedback.
-
|
@brandonkelly that definitely makes sense. It's a rare case, but for users who get stuck in the 2FA flow there isn't music for them to go on. 
What are your thoughts on adding some next step language? "Use one of your recovery codes" or "email your website administrator" |
Beta Was this translation helpful? Give feedback.
-
|
There will be a “Try another way” link if they have recovery codes set up. Open to some sort of fallback messaging if they don’t, though. |
Beta Was this translation helpful? Give feedback.
-
|
Good to know about the recovery codes. If you all opt to add a fallback message in the future I think that could be nice. It would need to be configurable I assume, so that website owners could direct requests to the right person. Thanks for the reply! |
Beta Was this translation helpful? Give feedback.
There will be a “Try another way” link if they have recovery codes set up. Open to some sort of fallback messaging if they don’t, though.