#8235 RFE: Support for MFA backup recovery codes
Opened 4 years ago by ngompa. Modified 4 years ago

Request for enhancement

As a user, I want the ability to use generated backup recovery codes so that I can have a self-service way to reset MFA securely.

Issue

Currently, when IPA sets up MFA, it does not also generate a set of backup recovery codes that function as OTPs to use in an emergency for resetting MFA (for example, when you lose your MFA token device).

Because of this, resetting the MFA setup of a user requires manual intervention. This is mostly okay in corporate environments, but this is a problem for MFA support in Fedora's new AAA solution, as it doesn't scale well for large communities.

Description of requested functionality

The way I would like this to work is that when MFA is configured for a user, a set of recovery codes are generated, each can only be used once and then not accepted again. These codes would be given to the user at MFA enrollment time, warning them they need to be stored securely for account recovery purposes.

In the event that a user can login with user+password but can't provide the MFA token, then a recovery flow should be possible for a user to enter in one of the recovery codes to get to the MFA settings to reset MFA.

Examples of systems that implement this mechanism are Amazon AWS IAM, Namecheap MFA, LastPass and 1Password MFA, and so on.


Login to comment on this ticket.

Metadata