Allow U2F 2FA when TOTP is disabled #5410
Comments
|
Yeah it's kind of for historical reasons but I agree this can be improved |
|
There are reasons to force you to enable TOTP since many devices do not support U2F 2FA (iOS, IE, Edge, etc. etc.). This protects you from locking yourself out from your account. |
lafriks
added
type/proposal
|
Hu? You cannot enable U2F 2FA (or, you, at least, should not be able to) if the browser does not support it. Then you can't be locked out from your account. Generally said, of course, if enabling a 2FA method fails, it should obviously cancel all that whole thing and not force it on the next login. |
|
@rugk let's say I setup my account through chrome on the desktop and I suddenly have a need to login on a mobile device for some reason, how am I supposed to to get into my account without TOTP since my mobile device doesn't support U2F? By forcing TOTP first this issue is completely resolved and system admins won't have employees calling them about something that's basically a stupid issue. |
|
Okay, I get it. It's about cross-browser/device login… Obviously as a user you would (have to) know what method you can use where and how. It has to be obvious (and I think it is) that all these examples do not work and you blame yourself as a user if you forget your 2FA phone or so. Also U2F key 2FA is obviously more secure than just TOTP (e.g. against phishing), so I as a user may choose to deliberately only enable U2F, not TOTP. And as you can see no other service (except of Gitlab, but they also want to change it: https://gitlab.com/gitlab-org/gitlab-ce/issues/48918) forces TOTP for U2F activation. And I'd say many people on GitHub etc. thought about the whole thing in detail. If you want, you may just add a note/warning when enabling U2F that this cannot be used on some browsers/devices or so, but users may already know this anyway… |
|
@rugk don't get me wrong I think 99% of developers using this understand how all of this works however theirs always some companies that let marketing, sales or other groups use a login and those groups unfortunately (at least in my experience) lack the skill or thought process required to understand that something might not work across all devices. |
|
@rugk GitHub also forces TOTP if you want to use U2F. |
|
@JonasFranzDEV Really? That would be stupid, too. Cannot test it, however… |
|
Adding my vote for the ability to use U2F without requiring a phone. |
|
U2F without TOTP is eminently reasonable: These are two separate technologies, there is no reason to force one to enable the other. (Everyone thinks it would be unreasonable to require U2F to enable TOTP, right?) Plus it maps to my org's use pattern better: Your SSH key is on your YubiKey, it's logical that your YubiKey is also the thing you need to use to access the web UI. #11573 seems like a reasonable patch to me (needs some polish detecting 2FA is enabled if the user is U2F only which is ongoing). |
This change enables the usage of U2F without being forced to enroll an TOTP authenticator. The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled. Fixes go-gitea#5410 Fixes go-gitea#17495
Similar to GitLab you seem to require TOTOP 2FA to be setup before I can enable U2F.
Obviously this is a silly requirement, as I should be able to enable what I want and there is no reason to force TOTP to be enabled. Obviously it should still enable the recovery password (you seem to call it "one-time password").
See e.g. how any other website does it.
The text was updated successfully, but these errors were encountered: