-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backup codes can be downloaded within session #14
Comments
Pointing the javascript method. |
I think this is overkill, just allow printing and copy/paste. |
I totally agree with @chillu, but I've triaged as originally scoped. I vote we should close this issue or change it to ensure it's clear to the user how they can print or copy their backup codes, but it's not my place to do so without PO approval 👍 |
I'm not sure this is a "standard" thing to do with MFA flows. Usually you only have one opportunity to get them; when they're first generated and shown to you |
I'll just remove that bit. When we were talking about this last week we were discussing how to avoid having them stored in session ever (for the download link) and everyone seemed on the same page... |
In terms of the display of the backup codes, it'll happen in two places: the CMS in a Member's CMS fields, and on the frontend once a user has enabled and configured a MFA method (only TOTP, or do backup codes apply to other methods like Yubikey as well?). We can/should re-use the logic for generating the CMS fields for both places. I guess the frontend version would be a new controller action which would be redirected to after successfully configuring MFA. In the CMS it'd be part of CMS fields. |
They do. All MFA methods extending this module will have backup codes provided. But I guess you don't get another set for a second MFA method? 🤔 Sounds good to me - we just want to avoid ever having backup codes in session. |
Being able to view backup codes after sign up is a pattern that is common for slack, facebook, google. But reset the recovery codes after sign up is probably more secure, This shouldn't be a huge design flow change. |
You're right, I'm sorry. Slack lets me view my unused backup codes whenever I want. |
Allow backup codes to be downloaded within the session that they have been created in.
AC:
Notes:
Two ways of doing this:
a. Php method requiring steaming and custom session deletion logic
b. js method is creating a .txt file, but there may be browser compatibility issues (esp for SS3 use cases)
Frontend notes:
Designs: https://projects.invisionapp.com/share/3PNSKZQYBJZ#/screens/322766388
The text was updated successfully, but these errors were encountered: