Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit available providers #4

Closed
iandunn opened this issue Nov 3, 2022 · 1 comment · Fixed by #14
Closed

Limit available providers #4

iandunn opened this issue Nov 3, 2022 · 1 comment · Fixed by #14
Assignees
@iandunn
Milestone
MVP

Comments

@iandunn
Copy link
Member

iandunn commented Nov 3, 2022
edited
Loading

We should choose which providers we want to enable, and disable all of the others.

We'll probably want accounts with greater access to have more strict requirements. e.g., Core committers should use webauthn as primary and TOTP as backup, while regular users can can use TOTP as primary and (maybe) email as backup.
@iandunn iandunn added this to the MVP milestone Nov 3, 2022
@iandunn iandunn mentioned this issue Nov 3, 2022
Open
9 tasks
@iandunn
Copy link
Member Author

iandunn commented Nov 9, 2022

For this I'm assuming that both WordPress/two-factor#439 and WordPress/two-factor#427 have landed, so the options are: Webauthn, TOTP, Email, Backup Codes, Dummy.

We should disable the Dummy provider of course. I think we should disable Email too. In some cases it's better than nothing, but we'd only want it available for regular users (who probably don't really need 2FA anyway). It's simpler to just disable it than trying to enable it conditionally based on someone's role. It'll simplify support as well. I've never seen a site offer email as a second factor.

@iandunn iandunn self-assigned this Nov 9, 2022
@iandunn iandunn mentioned this issue Nov 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iandunn iandunn

Labels
None yet
Projects
None yet
Milestone
MVP
Development

Successfully merging a pull request may close this issue.

Filter which providers should be available to users WordPress/wporg-two-factor
1 participant
@iandunn