Jump to content

Suggestion: 2FA Backup Code[s]


Tyler Loewen

Recommended Posts

Posted

Being able to reset an account's 2FA via email allows for an exploit if a hacker is able to compromise the user's email address. If the user's email address is compromised, the hacker will be able to reset both the account's password and 2FA thus having the ability to access the account.

An available solution is to require contacting the administrator to reset the user's 2FA. But this requires an admin's time plus a hacker could still social engineer the admin.

Having 2FA backup codes would make the 2FA system less exploitable while not requiring an admin's time to reset the 2FA. I think this solution would be beneficial to Invision Power's commercial users and high traffic web sites.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...