Request 2FA code fbefore disable / Seed for backup code
renatodvc opened this issue · 2 comments
First let me say I'm new at Github, so I'm sorry if this is not the right place to raise questions and suggestions.
Also, would like to thanks the devs, this is the best MFA package for django that I found so far. Really appreciate the work!
I would like to suggest that it would be a good security practice to ask for a 2FA code when the user choose to disable the MFA Auth. [Prevent someone with physical acess to the PC from disabling it, while session is still valid.
I also think it would be a good idea to provide the key together with the QR Code, at the configure.html, so the user can print/copy/write it as a backup code. I have tried to do it, unsuccefully so far. I belive that's because I'm not familiar with the encode and decode funcs in the configure_mfa at views.py. If you don't intent to add this feature, I would appreciate if someone could shed some light on how can i do it myself.
Thanks,
Hello team,
Well done so far, but ...
Yeah! thanks @renatodvc for putting it forth, definitely these are one of the most important features that need implementations that are needed for MFA to be called as 'Stable Version'.
Yes this in-turn adds a curious two important requirements so far,
- Ask for the code while disabling MFA
- Providing backup codes
Please it would be great if we have these two in-place as soon as possible, so that it will eliminate all the other necessary temporary changes that are needed to be done in our applications.
Please do consider this as a priority features for the next upgrade.
Thanks,
@chaitu210 please do consider this as an important feature for the next upgrade of this package. Thanks,