No backup/recovery code mechanism for MFA

10. toukokuuta 2021 klo 17.28
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost, security

Summary

After setting up multi-factor authentication, losing the authentication code-generating device means losing access to the Mattermost account. While having MFA is excellent, I’m afraid to set it up for my admin user account (which is the one most critically needing it), because there’s no recovery mechanism in case I lose my authenticator device.

Steps to reproduce

  1. Enable up multi-factor authentication in the System Console
  2. Configure 2FA with an authenticator app on your phone
  3. Break/lose/have your phone stolen
  4. Try to log in

Expected behavior

Have a ”use a backup code instead” link next to the MFA token prompt.

Observed behavior (that appears unintentional)

There’s no alternative way to provide the MFA. You can not log in.

Possible fixes

None available AFAICT. There’s no way to add security keys as alternatives either.

There’s an existing Jira ticket ticket about this (and it’s linked to an abandoned PR), but it’s closed as ”moved to ProductBoard for prioritization”, and I don’t know what’s happened since then, as I don’t have access to ProductBoard (that I know of).

Mattermost version

v5.34.2

Vastaa viestiin sen kontekstissa (Github)