What's the point of preventing adding emails when 2fa enabled? #3913
Replies: 1 comment 2 replies
-
|
This prevents an attack vector where an attacker signs up using your email. Obviously, (s)he cannot verify the email, but if (s)he is allowed to turn on 2FA that will block you from being able to sign up. |
Beta Was this translation helpful? Give feedback.
-
|
I understand the attack vector, but I think there should be a way to add an e-mail when the second factor is enabled (our plan with 2FA is to be able to enforce it for some users and those would not be able to add an e-mail then). To accomplish that, a more complex workflow would be needed (store the pending e-mail elsewhere and add them after confirming them and authenticating via 2FA so that it is clear that the adding user controls both of them). |
Beta Was this translation helpful? Give feedback.
-
|
@nijel What you are suggesting -- storing the pending email elsewhere -- is something that is going to happen when support is added for email verification using a OTP. Then, the pending email is temporarily stored in a session, avoiding this issue altogether. Email OTP is on the roadmap... |
Beta Was this translation helpful? Give feedback.
-
I started to move my app from custom 2fa to allauth.mfa, and discovered that it prevents adding emails after you configure 2fa.
7bf4d5e
Why?
Can we make this check optional? I can create PR adding a setting, or maybe improving this (for example, preventing adding emails only when there's no other verified emails, it that makes sense.)
cc @pennersr
Beta Was this translation helpful? Give feedback.
All reactions