You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, if you have lost access to all of your MFA methods you're in a pickle. If you're the only user you have to perform some database surgery to regain access. If you're a regular user you have to ask a Super User to help you. This can be avoided with self-service MFA reset feature.
Options:
Allow self-service MFA reset. Default: yes.
Disallow self-service MFA reset for these groups. Default: Superuser.
Minimum period between MFA resets. Default: 3600 seconds.
Maximum number of MFA reset requests. Default: 2
Asking for an MFA reset
If MFA reset is disabled because of #11 do not show an MFA reset link, do not allow the user to reset their MFA.
The link to the MFA reset is in the captive MFA method selection page, at the bottom, if and only if this feature is enabled, and the current user does not belong to a disallowed group.
The user MUST be logged in and MUST have one or more active MFA methods. You CAN NOT ask for an MFA reset without being logged in, or when you do not have an MFA method enabled.
It records the last date and time an MFA reset has been requested, and how many MFA resets have been requested (the counter is increased by one every time you make a request).
If the MFA reset is unavailable for the user group it shows a message that this operation is not available at this time.
If the last MFA reset was within the “Minimum period between MFA resets” you are told to wait. If you have exceeded the “Maximum number of MFA reset requests” it tells you to contact the site's administrators.
Upon a successful request for an MFA reset, an email with an alphanumeric token is sent to the registered email address of the user. This is the HMAC-SHA-1 of the concatenated user's email, username, hashed password, and the PHP serialised array of MFA methods with a random 64-byte string as the key. The key is stored in the user data.
Verifying the MFA reset
If MFA reset is disabled because of #11 do not show an MFA reset link, do not allow the user to reset their MFA.
The user MUST be logged in and MUST have one or more active MFA methods. You CAN NOT reset your MFA without being logged in, or when you do not have an MFA method enabled.
Clicking the email link brings the user to a form where they have to paste the token.
If the MFA reset is unavailable for the user group, or no MFA reset has been requested it shows a message that this operation is not available at this time.
The valid token is recalculated from the database information and the key, then the key is immediately removed from the database.
The valid token is checked against the provided token.
If the token does not match an error message is shown telling the user the token is invalid and they need to start over.
If the token is valid:
All MFA methods are disabled (same as clicking on the button to disable MFA)
The user is redirected to the Main page with a success message letting them know their password has been changed.
An email is sent to the user letting them know their MFA has been reset.
Security considerations
An attacker may have acquired or brute forced a user's credentials, therefore they are able to initiate an MFA reset. The email must clearly state that if you have not initiated the MFA reset yourself you should go ahead and change your password now, DO NOT click on the link in the email.
If an attacker also has read access to the victim's email they can reset the MFA, thereby gaining access to the site. Therefore, Superusers and other privileged groups should NOT be able to self-service reset their MFA, even if it means it's a pain to recover from this situation. Hence the default settings.
The text was updated successfully, but these errors were encountered:
Right now, if you have lost access to all of your MFA methods you're in a pickle. If you're the only user you have to perform some database surgery to regain access. If you're a regular user you have to ask a Super User to help you. This can be avoided with self-service MFA reset feature.
Options:
Asking for an MFA reset
If MFA reset is disabled because of #11 do not show an MFA reset link, do not allow the user to reset their MFA.
The link to the MFA reset is in the captive MFA method selection page, at the bottom, if and only if this feature is enabled, and the current user does not belong to a disallowed group.
The user MUST be logged in and MUST have one or more active MFA methods. You CAN NOT ask for an MFA reset without being logged in, or when you do not have an MFA method enabled.
It records the last date and time an MFA reset has been requested, and how many MFA resets have been requested (the counter is increased by one every time you make a request).
If the MFA reset is unavailable for the user group it shows a message that this operation is not available at this time.
If the last MFA reset was within the “Minimum period between MFA resets” you are told to wait. If you have exceeded the “Maximum number of MFA reset requests” it tells you to contact the site's administrators.
Upon a successful request for an MFA reset, an email with an alphanumeric token is sent to the registered email address of the user. This is the HMAC-SHA-1 of the concatenated user's email, username, hashed password, and the PHP serialised array of MFA methods with a random 64-byte string as the key. The key is stored in the user data.
Verifying the MFA reset
If MFA reset is disabled because of #11 do not show an MFA reset link, do not allow the user to reset their MFA.
The user MUST be logged in and MUST have one or more active MFA methods. You CAN NOT reset your MFA without being logged in, or when you do not have an MFA method enabled.
Clicking the email link brings the user to a form where they have to paste the token.
If the MFA reset is unavailable for the user group, or no MFA reset has been requested it shows a message that this operation is not available at this time.
The valid token is recalculated from the database information and the key, then the key is immediately removed from the database.
The valid token is checked against the provided token.
If the token does not match an error message is shown telling the user the token is invalid and they need to start over.
If the token is valid:
Security considerations
An attacker may have acquired or brute forced a user's credentials, therefore they are able to initiate an MFA reset. The email must clearly state that if you have not initiated the MFA reset yourself you should go ahead and change your password now, DO NOT click on the link in the email.
If an attacker also has read access to the victim's email they can reset the MFA, thereby gaining access to the site. Therefore, Superusers and other privileged groups should NOT be able to self-service reset their MFA, even if it means it's a pain to recover from this situation. Hence the default settings.
The text was updated successfully, but these errors were encountered: