Require Two-Step verification to change Two-step verification options

K

Kirby

Well-known member
If a TFA trusted device is compromised and the attacker has access to the password he can change (or completely disable) Two-step verification for the account.

To mitigate this, it would IMHO be useful to require the password and Two-step verification for the session before Two-step verification options can be changed.
 
Upvote 5
I would think this would be a basic requirement when the user is wanting additional security steps. Simple reliance on the password is NOT enough if one has gone to the extent to enable additional security features.
Personally.. I REALLY wish XF would enable passkey ability natively also.
 

Similar threads

C
  • Question
XF 2.2 disable the protection layer of two-step verification
Replies
1
Views
164
duderuud
duderuud
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
284
Fatih Ozcan
Fatih Ozcan
K
  • Suggestion
Add an option to disable two step verification providers
Replies
4
Views
646
Kirby
K
powergirl
  • Question
XF 2.2 verification issue
Replies
3
Views
784
powergirl
powergirl
creativeforge
  • Question
XF 2.2 [solved] Two-step verification: does not authenticate
Replies
4
Views
587
creativeforge
creativeforge
Back
Top Bottom