Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚀 Feature: Fallback auth? #18

Open
sardaukar opened this issue Aug 26, 2024 · 8 comments
Open

🚀 Feature: Fallback auth? #18

sardaukar opened this issue Aug 26, 2024 · 8 comments
Labels
feature New feature or request

Comments

@sardaukar
Copy link

Feature description

This project is really interesting - what's the fallback scenario for lost keys, though?

Pitch

Maybe an email fallback, just until a new key is setup?

@sardaukar sardaukar added the feature New feature or request label Aug 26, 2024
@stonith404
Copy link
Owner

I think the best fallback option would be to add a second passkey to your account. Additionally, an administrator can provide a one-time access link if needed.

While email might not be the most secure option, I could implement a recovery phrase that users can write down and use to regain access to their accounts.

What do you think? Would a fallback passkey and a one-time access link be sufficient, or would you recommend adding another method, such as a recovery phrase or something else?

@sardaukar
Copy link
Author

I think the recovery phrase makes sense, kind of life 2FA recovery codes.

About the admin being able to provide a one-time link: what if the admin loses his key? 😄

@Node815
Copy link

Node815 commented Sep 7, 2024

Where this may not be someone's cup of tea, you can install KeepassXC if you want to keep the attack vector closer to home, as in on your trusted home computer, or you can install Vaultwarden (self hosted Bitwarden compatible system), and use the companion browser plugin for either respective app.

Vaultwarden is what I use, so it natively uses the Bitwarden browser plugin which allows you to save passkeys within it. KeepassXC also does this if you turn the option on in the program from what I've tested. Either of these methods would make a good backup passkey in the event of the lost hardware token or key!

@sardaukar
Copy link
Author

@Node815 advertising for other projects on a question specifically about pocket-id is a bit weird

@stonith404
Copy link
Owner

@sardaukar I don't see @Node815's comment as an advertisement because KeepassXC and Vaultwarden are a password manager. You can use Vaultwarden to store your passkeys. This is like a backup of your passkeys because they get synced across your devices.

But I still see the need to recover a Pocket ID account because there might be users that only use hardware passkeys and when you lose them you can't access your account anymore.

@acidRain-burns
Copy link

An admin being able to issue a recovery link to the user's email (timed expirey), and all accounts having a recovery phrase would be awesome. Would like something in the Audit Logs if a recovery link is sent or a recovery phrase is used.

If this was implemented, would we have the option to have keys revoked if the phrase was used? This would help prevent users from keeping keys they lost/can't find attached to their account.

@jbalatero
Copy link

Is it possible for a one-time link to have an option to never expire so I can print it and safe keep it?

@stonith404
Copy link
Owner

@jbalatero No, but an administrator can create a one-time link over the CLI with docker compose exec pocket-id sh ./scripts/create-one-time-access-token.sh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants