allow multiple 2fa totp devices to be registered

RESOLVED WONTFIX

Status

()

defect
P3
normal
RESOLVED WONTFIX
4 years ago
Last year

People

(Reporter: glob, Unassigned)

Tracking

Production
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

the current 2fa workflow drives people towards a single device.  this can be problematic if a device is lost or reset.  while bug 1199090 would help, another useful feature would be to allow multiple devices to be linked.

supporting multiple secrets per user is complex, however supporting multiple devices linked to the same secret is achievable.

here's how i picture it working:

if 2fa is enabled, add the ability to "configure another device"

this would prompt for 2fa verification, then show the user's existing secret as a qr code for scanning (as well as the 'show as text' toggle).
I'm slightly curious as to why Google and similar don't offer this feature, it makes me wonder if they know something we don't.

I guess one potential weakness with this, is that if the re-prompt for 2fa verification mentioned in comment 0 accepted printable recovery codes, then one could go from <one time code> -> <unlimited codes> without resetting the 2fa secret, and so the original user could be none the wiser their 2fa is now compromised.

If bug 1199090 were ever implemented, I guess we'd have to make sure we don't accept those one-off codes for the re-prompt here.
Jeff is going to check out and get more thoughts on it.  potential for octo, potential not.
Priority: P2 → P3
note that login.mozilla.com already allows multi-device registration, so the prescient for this feature has already been set.

needinfo'ing jeff to put this on his radar.
Flags: needinfo?(jbryner)
DUO's client already supports multiple devices and I think given our varied use-cases we will need to continue to support multiple devices everywhere we implement 2fa. 

Another hitch besides registration is the login path. For example, OKTA allows you to pick which device you will use for 2fa at login time. If I pick DUO, then I get a choice about what type of DUO (push, sms, call, google authenticator via duo, yubikey, etc).
Flags: needinfo?(jbryner)
since duo already has multi-device covered, we only need to worry about totp.
Summary: allow multiple 2fa devices to be registered → allow multiple 2fa totp devices to be registered
Assignee: glob → nobody
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.