Request MFA code to validate MFA activation

[ook]

What?

When we enable MFA (multi factor authentication), cozy doesn't request any confirmation. Here the list of problems:

• some users won't understand what this feature is and they'll lock them out of their cozy
• some users have a bad clock setup on their device / server and won't discover it before the next login when… they'll be locked out their instance

How?

Don't enable MFA until enter a valid code from their other device.
All major service use this scheme and can be used as an exemple: heroku, github, google, etc.

[jsilvestre]

Hi @ook,

You are absolutely right, this is an UX problem that is known and that we would like to fix. That being said, we won't change that in the near future since we are rewriting everything, but this is definitely the target.

The activation UI could use some better layout & explanations too!

Thank you, and sorry!

[babolivier]

For the record, we thought of implementing such a thing, but Cozy's rewriting delayed it (the work load isn't that light, my schedule is quite busy right now, it would have been finished a few weeks (or a few months, if lucky) before the release of the new stack, which seemed a bit useless to me, I prefer waiting for the new stack).

What I had in mind was to implement a step between clicking "Enable" and actually enabling 2FA, where the user is asked for both its password (to prove it's actually him enabling 2FA and not someone using an open session) and an OTP (to ensure it's correctly configured).

I'll look into implenting this along the 2FA mechanisms once the new stack is mature enough.