Support multiple forms of MFA #425
Comments
|
Which form of MFA would you recommend tackling next - email? |
|
Ah sorry I wasn't entirely clear, I was originally meaning the ability to add multiple forms of MFA to a given account. So for example, adding two phones with different TOTP secrets so that if you lose a device your not locked out |
|
OK makes sense. I couldn't find any clear guidance on best practices for multiple MFA devices. Should there be some cap? e.g. a max of 3? If someone had loads then the login process slows down, because we have to check the codes for each device. One 'hack' that some people is to scan the setup QR code with multiple devices. We could let the use see the setup QR code again, but again, not sure if that's good practice or not. |
|
I don't think I've seen a cap anywhere either although I imagine something like five seems reasonable. And yea, that is something people can do although I wouldnt go showing the code again. It's more so a thing that occurs when you want to setup multiple forms of MFA. For example I use a combination of TOTP and yubikeys |
This will be a decent piece of work but supporting multiple forms of MFA will help mitigate things such as losing the MFA device while further aligning with best practice.
The text was updated successfully, but these errors were encountered: