You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to increase security of some views such as submitting payouts, handling money or other potentially risky tasks.
To increase the security I would like to let the user re-submit his/hers OTP once again for every POST action.
Expected Behavior
The scenario when this might help is such that the user leaves his/hers computer with session already authenticated and goes off. The some other person can come in and for example steal all money from his/hers account.
Current Behavior
In current logic of django-two-factor-auth it is also possible to disable 2FA without any additional authentication and set a new one.
It would be needed to require secondary 2FA also for /account/two_factor/disable/ view in order to make this protection effective.
Possible Solution
The described scenario could be prevented if the user re-submits OTP code before/during the making POST request to the security demanding view.
The second possibility how to implement this might be to modify the @otp_required/OTPRequiredMixin decorator/mixin with requirement for maximal age of the authentication. So for example I could decorate the risky view with:
I would like to increase security of some views such as submitting payouts, handling money or other potentially risky tasks.
To increase the security I would like to let the user re-submit his/hers OTP once again for every POST action.
Expected Behavior
The scenario when this might help is such that the user leaves his/hers computer with session already authenticated and goes off. The some other person can come in and for example steal all money from his/hers account.
Current Behavior
In current logic of
django-two-factor-auth
it is also possible to disable 2FA without any additional authentication and set a new one.It would be needed to require secondary 2FA also for
/account/two_factor/disable/
view in order to make this protection effective.Possible Solution
The described scenario could be prevented if the user re-submits OTP code before/during the making POST request to the security demanding view.
The second possibility how to implement this might be to modify the @otp_required/OTPRequiredMixin decorator/mixin with requirement for maximal age of the authentication. So for example I could decorate the risky view with:
The text was updated successfully, but these errors were encountered: