Clarify who can edit 2FA for others #64
Comments
|
I like this 👍🏻 I think some of it could be done upstream too, and then this plugin can extend/modify to fit our specific needs.
Maybe we should only allow disabling, not setting up? The use case for disabling is account recovery, but I'm not sure there's a use case for setting up. With TOTP/WebAuthn the admin would need access to the user's phone/keys in most cases. I can maybe see it with email/backup codes, but it seems better for the user to do it themselves so that they understand it more.
I agree. I also think we should require those SA's to also have 2FA (and reauth it like they would for their own account, per #43) |
I agree. There's a use-case where potentially the only thing that another admin should be allowed to do is either a) Disable 2FA or b) Generate a SINGULAR new backup code to allow the user to access their account. It seems like what we'd want on WordPress.org is instead of a disable-2fa option, is a one-click button that can be used to email the user a new backup code, which they can use then to manage their account. This could be more complicated with #43 depending on the grace-time between re-authorizations (ie. I was thinking 15 minutes between last-2FA and editing 2FA, but maybe it needs to be more like an hour) |
|
I don't feel great about emailing a backup code, since that essentially reduces it back to a single factor. Disabling 2FA also does that, though. It's not as bad if it's only valid for 15 minutes and can't be reused, because then the user would have to come back and ask the admin for another, and the admin would see that the attacker had set it up. Ideally the admin would give it to the user real time using the same communication medium that they used to verify their identity (e.g., a zoom video chat), and the user would use the code immediately. Maybe we need to have some deeper discussions and establish the account recovery process in order to figure this part out? |
Currently 2FA can be edited/setup on behalf of someone else by anyone who can edit other users.
This means that Administrators can disable/setup 2fa for another administrator account.
On WordPress.org, we probably want to limit that to:
This might be something that we can apply at a security level rather than at the 2FA level
In the context of this issue, an "admin" includes forum moderators who have user edit caps. A privledged user is a super admin / committer / wordcamp role / etc user, someone who has more access than a freshly signed up account.
The text was updated successfully, but these errors were encountered: