Users can possibly bypass two-factor auth in places where they maybe shouldn't be able to
moggers87 opened this issue · comments
Two-factor auth is optional for all our users.
Due to the way two-factor auth works on Inboxen, it is possible to have multiple sessions open before enabling two-factor auth. If those sessions become compromised (maybe you logged into a friend's computer and didn't log out) it may be possible to take certain actions that our users may have assumed would be protected by two-factor auth. Depending on the timing, django-elevate may not ask for password confirmation if it thinks the user has just logged in.
Some actions that come to mind:
- Deleting your account
- Changing your password
- Deleting inboxes
- Deleting emails
django_otp's otp_required
has a if_configured
kwarg that can enforce two-factor auth only in the case that the user has two-factor auth enabled on their account.
Ironically, we already workaround the bug in django-two-factor-auth that prompted me to look into this 😆