FR: add option for additional 2FA verification for elevated session #6963
Labels
priority/4/normal
Normal priority items
status/needs-design
Requires thoughtful design
type/feature
Request for adding a new feature
Description
Email alone is not a useful security factor, if anything it is a hijack vulnerability for a compromised client (similar to SMS). This is a summarized version of some public hijackings like some of the icloud hijacks.
As such I have configured require 2fa and skip for elevated sessions. The problem is that require 2fa currently only requires the session to have been 2fa'd and not specifically requiring the elevated session and/or action requested to be 2fa'd. As a result, it is possible for a 3rd party to backdoor a client and add a 2fa token without requiring a 2fa hit if a backdoored client has an active 2fa SSO session.
The tldr request is to be able to require a 2fa verification specifically for the elevated session (or at least for the act of adding a 2fa token) instead of just accepting that there is an existing SSO session that was 2fa'd at its beginning.
Use Case
see description. TLDR this is a request to be able to require true physical 2fa verification to add additional 2fa tokens
Details
see description
Documentation
see description
Pre-Submission Checklist
I agree to follow the Code of Conduct
I have checked for related issues and checked the documentation
The text was updated successfully, but these errors were encountered: