Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webauthn passwordless and 2fa can be used to lock account #2656

Open
6 tasks done
Benehiko opened this issue Aug 10, 2022 Discussed in #2655 · 2 comments
Open
6 tasks done

Webauthn passwordless and 2fa can be used to lock account #2656

Benehiko opened this issue Aug 10, 2022 Discussed in #2655 · 2 comments
Labels
bug Something is not working.

Comments

@Benehiko
Copy link
Contributor

Benehiko commented Aug 10, 2022
edited
Loading

Preflight checklist

Describe your problem

Since an email address needs to be unique, an attacker could lock the account that has no access to the email address.

When Webauthn passwordless is setup the attacker can use it to lock the individuals account since it prevents the recovery flow from succeeding.

The same can happen when using 2FA hardware keys and backup codes. We can link a yubikey to an account, create backup codes and unlink the yubikey (keeping the backup codes). When the real user tries to recover the account they will be required to enter a backup code.

Describe your ideal solution

Workarounds or alternatives

Version

v0.10.1

Additional Context

Discussed in #2655

Originally posted by alantbarlow August 10, 2022
I want to require email verification during the registration process. The flow I want to do is the following,

  1. The user submits an email address for verification.
  2. The user verifies the email address
  3. The user finishes registration by selecting login method (Webauthn)

Im wanting these steps to occur before the user is registered. It sounds like the verification can only happen on "known" addresses which defeats the purpose of email verification. I need to be able to prevent sign-up with an un-verified email address.

Im also wanting to do something similar for the user changing their email address. From what I can see is that also is not possible for the same reason. I want the email to be verified before persisting the address into the database. That means before registration or before updating the registered email address.

Can you please let me know if this is possible?
@Benehiko Benehiko added the bug Something is not working. label Aug 10, 2022
@trautonen
Copy link

I'm also stuck on this with phone numbers. If I make a phone number verifiable, it will reserve the phone number unless the account is deleted. You can easily just create accounts and reserve phone numbers even if you don't have access to them.

@trautonen
Copy link

I think currently only viable solution is to use external sms verification and manually add only the verified phone numbers to Kratos database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trautonen @Benehiko