Send a user notification when new MFA device enrolled #634
Comments
|
Could this be performed by the totp functions inside this file? |
|
@MinhPhan8803 Not really. This is more likely to be about hooking the commit to submit an audit event that can then be stored or processed in different ways. I think it's a bigger feature than just being on the totp section, and would need a conversation and a design doc. |
|
I think I will just pass on this for now. |
|
Yeah, this would be a pretty big block of work :) |
|
I'm also interested in notifications - also for logins on new devices would be good. |
|
I actually think that this is related to #22 as this is just a subset of that. Re "new device" we don't do any device fingerprinting rn so we don't have an easy/obvious way to do that. |
|
Another thread to note is #1455 |
|
Yep, right. |
|
The issue is really doing the fingerprinting and identification on the server side, more than the storage requirements or enabling users to manipulate a security feature |
Yeah this. But also if a cookie/token is stolen then they can just steal the device id token too and bypass the notification. So we have to probably not use a device token/cookie to id devices here. |
yaleman
added
enhancement
When new MFA devices are enrolled, it's probably worth notifying users, in case their account has been compromised via another method.
Email's the most likely transport for this - obviously this only works if the user's got one listed - but it's better than nothing and likely to be there either way for other reasons.
The text was updated successfully, but these errors were encountered: