Avainsanana security

No backup/recovery code mechanism for MFA

10. toukokuuta 2021 klo 17.28
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost, security

Summary

After setting up multi-factor authentication, losing the authentication code-generating device means losing access to the Mattermost account. While having MFA is excellent, I’m afraid to set it up for my admin user account (which is the one most critically needing it), because there’s no recovery mechanism in case I lose my authenticator device.

Steps to reproduce

  1. Enable up multi-factor authentication in the System Console
  2. Configure 2FA with an authenticator app on your phone
  3. Break/lose/have your phone stolen
  4. Try to log in

Expected behavior

Have a ”use a backup code instead” link next to the MFA token prompt.

Observed behavior (that appears unintentional)

There’s no alternative way to provide the MFA. You can not log in.

Possible fixes

None available AFAICT. There’s no way to add security keys as alternatives either.

There’s an existing Jira ticket ticket about this (and it’s linked to an abandoned PR), but it’s closed as ”moved to ProductBoard for prioritization”, and I don’t know what’s happened since then, as I don’t have access to ProductBoard (that I know of).

Mattermost version

v5.34.2

Vastaa viestiin sen kontekstissa (Github)

They independently prove to each other that they know the PSK/PMK

7. toukokuuta 2019 klo 18.39
Sijainti: Muut: Super User
Avainsanat: security, Wikipedia

@stokito The client (nor the access point) never send the password; see this answer (and Wikipedia).

Vastaa viestiin sen kontekstissa (Super User)