When to ask for the 2FA code / password?

[consideRatio]

When is it reasonable to ask for a 2FA code and/or password?

I've seen several examples where you need to validate your password, and perhaps also with a 2fa code, when about to change something critical. Perhaps we want such validations on attempts to change passwords or similar? I'm not sure what I think, but its a question to consider that was raised by @lambdaTotoro in #167 (comment).

[lambdaTotoro]

I think a good default answer would be "whenever we ask you your password, we also ask you your second factor".
Currently, that would be upon login and changing your own password.

[consideRatio]

I think a good default answer would be "whenever we ask you your password, we also ask you your second factor".

Hmmm, well it is a very security tight behavior, but its more tight than what you do on GitHub.com for example. On GitHub.com, you are only asked about 2fa during signin, then as a confirmation when you are doing something sensitive you are asked for a password again.

With #180 merged, I'm leaning towards aiming for just having a 2FA code be asked for during login and as a validation when setting up 2fa, but excluding asking for it when changing your/someone else's password. If you are an admin that wants to change 5 peoples password or similar, it would be trouble to write out 5 2fa codes I'd say btw.

[lambdaTotoro]

I'm also happy with just asking for 2FA on login.

[consideRatio]

Conclusion - we aim for for this initially

• Ask for 2FA code during login flow
• Ask for 2FA code during initial 2FA setup as a verification it was done correctly
  Allow users to validate their 2FA setup when its enabled #168

[consideRatio]

Should we close this as a resolved topic as the actual actions would be represented by #168?

[lambdaTotoro]

I think that's reasonable.