Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make it possible to allow registration of u2f tokens by end users #222

Open
cviecco opened this issue Oct 21, 2019 · 1 comment
Open

Make it possible to allow registration of u2f tokens by end users #222

cviecco opened this issue Oct 21, 2019 · 1 comment

Comments

@cviecco
Copy link
Contributor

cviecco commented Oct 21, 2019

As keymaster has been started to be used by more organizations, the registration flow for users has shown its weakness. Thus it has been suggested to create a way for users to register their u2f tokens with no/minimal admin interaction. I have tough of 3 potential flows for this, descrbied below.

Flow 1. Completely self-managed.

  1. User goes to keymaster enters username/password
  2. Since it does NOT have any 2FA tokens a page to register its first token is displayed
  3. User registers its device ( + gets email notification) and on successful registration is redirected to the 2FA auth page
  4. user proceeds with 2FA token. And Flow continues normally.

Flow 2. Admin action required to enable self-registered token

  1. User goes to keymaster enters username/password
  2. Since it does NOT have any 2FA tokens a page to register its first token is displayed
  3. User registers its device, but is on disabled state ( + gets email notification) + redirected to page stating that admin action is required
  4. keymaster admin enables token (mail is sent to user).

Flow 3. Admin initiated

  1. Admin tells keymaster to send special, first time registration email (time limited) for a specific user
  2. User opens mail that contains a url (user specific) AND a token
  3. User goes to registration url, enters code and password
  4. New page to register first token appears, user registers is token, and then is redirected to 2FA auth page.
  5. User proceeds with 2FA token, flow continues normally.

I like in order of preference options 3, 1 and 2. 3.

@sandralettau
Copy link

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants