Sudo prompt should allow OTP authentication even if an account has a password #1894
Comments
anishTP
changed the title
|
This is for the sudo check, not for login. If the account has a password, it shows a login prompt without an option for fallback to OTP. This differs from the login flow where OTP is the default flow but password login is available as a fallback option. One complication for sudo: it does not have a hint for where to send the OTP if the user has multiple contacts (email or phone), whereas during login flow the user provides it. Should sudo offer a choice of where to get the OTP? Is that a risk as it reveals information about the account (even if contacts are masked)? Should we assume this risk is okay as the user is already logged in? |
|
Yes correct. Suggestion: The sudo check could default to a OTP via SMS in case the phone number field is not NULL else via email. This way the user doesn't have to make any choice or risk revealing their contact information. |
|
We have to account for the failure conditions:
The OTP flow should ask the user where they'd like to receive it. Anyone logged into the account can see all contacts in |
jace
changed the title
Context
The user tries to update critical details on their project and are prompted to provide a password to authorize the action.
Problem
The current sudo check flow prioritises OTP sudo check over password sudo check. For users who login using an OTP and have no password this pattern does not allow authorizing critical edits or delete actions in project/accounts. Additionally in scenarios where the user has forgotten their password, the reset prompt does not allow for a reset through OTP.
The text was updated successfully, but these errors were encountered: