You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've run into a few use-cases where it would be handy to be able to trigger the bootstrap workflow without deleting the current keys or where it would be handy to inhibit the bootstrap workflow but still have the user configured with no keys.
Would it be possible to do something like?
Add a boolean to the user DB indicating whether bootstrap was needed.
Default that to true or false based on some config value.
Have a button in the UI to flip the status.
Trigger the bootstrap flow based on that flag instead of "no keys".
The text was updated successfully, but these errors were encountered:
Can you elaborate on your use case? The design goal of the bootstrap case was to allow self-enrollment of MFA for first time users.
We want this process to be noisy so that is non trivial to bypass the MFA after it has being enabled. And easiest way for a user to notice that something is wrong is if they cannot login.
Well, right now you need sort of a perfect storm to get the MFA sign-up logic to kick in. Sometimes they have an old key registered. Sometimes you just want to add another one temporarily while they're offsite or something. Sometimes you don't know what they're doing and you don't want to have to munge things to get everything right just to get them signed up for a new MFA key.
If the user does one thing wrong, you need to reset it on the server and hope that the user isn't wildly clicking buttons on their end. And you're guaranteed to lose any other potentially working keys that might have been useful later on in the process. This basically makes getting a confused user access with a fresh key a slightly destructive and fairly disruptive act. It would be much easier to tell Keymaster (through a single toggle) that we're expecting to do this and then let it run with that.
This also allows decoupling the creating of the user from the actual sign-up of the MFA. This is very useful for pre-provisioning users and for working with them over asynchronous means--especially if they're remote. In particular, it's nice to be able to enumerate the users and get people who haven't logged in yet. It makes using Keymaster the "system of record" for users much more functional.
I've run into a few use-cases where it would be handy to be able to trigger the bootstrap workflow without deleting the current keys or where it would be handy to inhibit the bootstrap workflow but still have the user configured with no keys.
Would it be possible to do something like?
The text was updated successfully, but these errors were encountered: