Allow Passwordless Authentication to proceed without requiring a 2FA Code if has2faEnabled #12512
cormip
started this conversation in
Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently, if a user attempts to log in using
accounts-passwordless
and also hasAccounts.has2faEnabled
, as per the docs, calling[Meteor.passwordlessLoginWithToken](https://docs.meteor.com/packages/accounts-passwordless.html#Meteor-passwordlessLoginWithToken)
will result in an error: "2FA code must be informed".This prevents
accounts-passwordless
from being used as a "backup" authentication method should theaccounts-2fa
-registered authenticator be unavailable. This is not a particularly rare scenario. i.e. the user loses their phone with the authenticator app. Also, note that it's not possible for the popular Google Authenticator to transfer accounts to a new phone without the old phone, so the user would need to be able to log in and re-register their authenticator app. In other words, the user ends up locked out of their account if they lose or replace their phone.The recommended solution would be to make the requirement to provide a 2FA code an option when calling Meteor.passwordlessLoginWithToken. This way, a user could primarily use a 2FA Code for authentication verification but be able to revert to using a passwordless token emailed to them should the primary 2FA not be available. To ensure the current method remains secure for those that choose to use it the original way, this setting would need to be a server-side configuration setting.
Related Discussion:
Token Authentication alone not possible with 2FA enabled? in Meteor Forum
#11896 - Modify Accounts to enable custom login processes
#11653 - Accounts improvements suggestions
Beta Was this translation helpful? Give feedback.
All reactions