FEATURE REQUEST: Make "needs bootstrap flow" explicit. #130
Comments
|
Can you elaborate on your use case? The design goal of the bootstrap case was to allow self-enrollment of MFA for first time users. |
|
Well, right now you need sort of a perfect storm to get the MFA sign-up logic to kick in. Sometimes they have an old key registered. Sometimes you just want to add another one temporarily while they're offsite or something. Sometimes you don't know what they're doing and you don't want to have to munge things to get everything right just to get them signed up for a new MFA key. If the user does one thing wrong, you need to reset it on the server and hope that the user isn't wildly clicking buttons on their end. And you're guaranteed to lose any other potentially working keys that might have been useful later on in the process. This basically makes getting a confused user access with a fresh key a slightly destructive and fairly disruptive act. It would be much easier to tell Keymaster (through a single toggle) that we're expecting to do this and then let it run with that. This also allows decoupling the creating of the user from the actual sign-up of the MFA. This is very useful for pre-provisioning users and for working with them over asynchronous means--especially if they're remote. In particular, it's nice to be able to enumerate the users and get people who haven't logged in yet. It makes using Keymaster the "system of record" for users much more functional. |
I've run into a few use-cases where it would be handy to be able to trigger the bootstrap workflow without deleting the current keys or where it would be handy to inhibit the bootstrap workflow but still have the user configured with no keys.
Would it be possible to do something like?
The text was updated successfully, but these errors were encountered: