You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As keymaster has been started to be used by more organizations, the registration flow for users has shown its weakness. Thus it has been suggested to create a way for users to register their u2f tokens with no/minimal admin interaction. I have tough of 3 potential flows for this, descrbied below.
Flow 1. Completely self-managed.
User goes to keymaster enters username/password
Since it does NOT have any 2FA tokens a page to register its first token is displayed
User registers its device ( + gets email notification) and on successful registration is redirected to the 2FA auth page
user proceeds with 2FA token. And Flow continues normally.
Flow 2. Admin action required to enable self-registered token
User goes to keymaster enters username/password
Since it does NOT have any 2FA tokens a page to register its first token is displayed
User registers its device, but is on disabled state ( + gets email notification) + redirected to page stating that admin action is required
keymaster admin enables token (mail is sent to user).
Flow 3. Admin initiated
Admin tells keymaster to send special, first time registration email (time limited) for a specific user
User opens mail that contains a url (user specific) AND a token
User goes to registration url, enters code and password
New page to register first token appears, user registers is token, and then is redirected to 2FA auth page.
User proceeds with 2FA token, flow continues normally.
I like in order of preference options 3, 1 and 2. 3.
The text was updated successfully, but these errors were encountered:
As keymaster has been started to be used by more organizations, the registration flow for users has shown its weakness. Thus it has been suggested to create a way for users to register their u2f tokens with no/minimal admin interaction. I have tough of 3 potential flows for this, descrbied below.
Flow 1. Completely self-managed.
Flow 2. Admin action required to enable self-registered token
Flow 3. Admin initiated
I like in order of preference options 3, 1 and 2. 3.
The text was updated successfully, but these errors were encountered: