-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚀 Feature: Fallback auth? #18
Comments
I think the best fallback option would be to add a second passkey to your account. Additionally, an administrator can provide a one-time access link if needed. While email might not be the most secure option, I could implement a recovery phrase that users can write down and use to regain access to their accounts. What do you think? Would a fallback passkey and a one-time access link be sufficient, or would you recommend adding another method, such as a recovery phrase or something else? |
I think the recovery phrase makes sense, kind of life 2FA recovery codes. About the admin being able to provide a one-time link: what if the admin loses his key? 😄 |
Where this may not be someone's cup of tea, you can install KeepassXC if you want to keep the attack vector closer to home, as in on your trusted home computer, or you can install Vaultwarden (self hosted Bitwarden compatible system), and use the companion browser plugin for either respective app. Vaultwarden is what I use, so it natively uses the Bitwarden browser plugin which allows you to save passkeys within it. KeepassXC also does this if you turn the option on in the program from what I've tested. Either of these methods would make a good backup passkey in the event of the lost hardware token or key! |
@Node815 advertising for other projects on a question specifically about pocket-id is a bit weird |
@sardaukar I don't see @Node815's comment as an advertisement because KeepassXC and Vaultwarden are a password manager. You can use Vaultwarden to store your passkeys. This is like a backup of your passkeys because they get synced across your devices. But I still see the need to recover a Pocket ID account because there might be users that only use hardware passkeys and when you lose them you can't access your account anymore. |
An admin being able to issue a recovery link to the user's email (timed expirey), and all accounts having a recovery phrase would be awesome. Would like something in the Audit Logs if a recovery link is sent or a recovery phrase is used. If this was implemented, would we have the option to have keys revoked if the phrase was used? This would help prevent users from keeping keys they lost/can't find attached to their account. |
Is it possible for a one-time link to have an option to never expire so I can print it and safe keep it? |
@jbalatero No, but an administrator can create a one-time link over the CLI with |
Feature description
This project is really interesting - what's the fallback scenario for lost keys, though?
Pitch
Maybe an email fallback, just until a new key is setup?
The text was updated successfully, but these errors were encountered: