Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make users confirm their second factor before saving it #1870

sebvonhelsinki opened this issue May 10, 2024 · 0 comments

Make users confirm their second factor before saving it #1870

sebvonhelsinki opened this issue May 10, 2024 · 0 comments
enhancement New feature or request


Copy link

Is your feature request related to a problem? Please describe.
When setting up 2FA, the user sees the the TOTP setup QR code and confirms with a click on "FINISH". When the user clicks on "FINISH", TacticalRMM saves the TOTP base code, without verifying that the user actually has it set up successfully on their end. If the user, for any reason, was not able to set up 2FA successfully, they are now locked out of their account since TacticalRMM asks for 2FA confirmation on the next login.

Describe the solution you'd like
After showing the user the TOTP secret code/QR code, before the user can confirm that they have set up MFA, the user should be required to enter the current TOTP code generated from the currently shown TOTP secret. Only after this confirmation should the 2FA settings for the user be updated.

To streamline this, the confirmation could look as follows:

  • below the clean text TOTP secret, above the "FINISH" button, there could be a numbers-only text input field labeled "Enter your new TOTP code:"
  • when a user clicks "finish", the code is sent to the server and verified against the not-yet-saved TOTP secret
  • if the verification fail, the user stays on the page to set up 2FA and is confronted with an error message indicating that the TOTP-code entered was wrong
  • if the verification is successfull, the TOTP secret gets saved for the user in TacticalRMM. the user is redirected to the login page

Describe alternatives you've considered
No alternatives have come to mind.

Additional context
TacticalRMM is the first service I have encountered that activates 2FA without verifying that it actually works.

@silversword411 silversword411 added the enhancement New feature or request label May 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
enhancement New feature or request
None yet

No branches or pull requests

2 participants