change password page in lobby should show QR code if available #1197
Comments
|
@fichtner normally the token codes should be secret and only delivered one time to the user (also the reason why you can't read the secret back from the google app). Providing the user his secret using only username+password is generally not a very good idea. |
|
@AdSchellevis ok, but that generally puts OPNsense in a position where it can't do that. Maybe a (default off) authentication server settings should control this behaviour? |
|
@fichtner then its probably more something for the "general settings", I don't mind if its off by default (although it should come with a warning). Normally tokens are kept at a very safe location, to put all in the same box we don't have that choice, but exposing the secret to the user is really not the intended method. |
|
Maybe make it appear only on first view so the user can obtain it over a SSL connection but only once? If the admin changes it, it could reappear for the user one time again? (if the user doesn't see it, it was possibly snagged by someone else and therefore should be invalidated anyway.) |
|
timeout |
To distribute the QR code to users, it's not practical to hand the code to a normal user.
@AdSchellevis does this make sense?
via: https://forum.opnsense.org/index.php?topic=3638.0
The text was updated successfully, but these errors were encountered: