bypass 2FA/MFA with auth_admin_passkey #526
Comments
|
Hi @codeagencybe. i think we can begin simply, without parameter, and if somebody want to disable this feature for 2FA, it can be done in a second time, with a parameter. |
|
Hello @legalsylvain I have create a PR #550 to add the new option for bypassing TOTP but the checks is giving some issues and I don't know why exactly. I have this running in a few production setups and it installed just fine and is working fine and secure. |
|
There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
github-actions
bot
added
the
stale
Module
16.0/auth_admin_passkey
Describe the bug
Not sure if it's a bug or just "forgotten" but the bypass is not working if the user has 2FA/MFA enabled.
We use this module to help troubleshooting specific user issues with the best user and security experience for our client, since they don't have to share any login credentials in an insecure way.
We can just take their email/login and the auth_admin_passkey and we can get in to provide the requested support.
Or we can use it to verify any issues after upgrading modules etc...
Unless...they have 2FA/MFA enabled which also requires to enter the MFA token.
We would like to bypass this also so we don't have to ask for that MFA token. Especially when we are doing scheduled maintenance and upgrades after office times, if something breaks or we need to check, we can't since we don't have that MFA token.
To Reproduce
Affected versions: only tested v15 and v16 so far.
Steps to reproduce the behavior:
Expected behavior
Just bypass also 2FA/MFA or maybe have an extra system parameter to set "bypass_mfa" true/false?
Additional context
N/A
The text was updated successfully, but these errors were encountered: