Ability to share code with another Ente Auth user #2825
Replies: 4 comments 2 replies
-
On self-hosted (which is what I'm running), I imagine this would require some form of user management? |
Beta Was this translation helpful? Give feedback.
-
Personally, I wouldn’t need or use such a feature, as it seems to introduce unnecessary security risks. The whole point of two-factor authentication (2FA) is to ensure that only the intended user has access to their accounts by requiring a second form of verification. Sharing 2FA codes, whether they are long-lived secrets or timed codes, undermines this security principle. If you’re sharing codes with another person, it defeats the purpose of having a second authentication factor in the first place. The goal of 2FA is to create a barrier that only the legitimate user can cross, so allowing others access to these codes compromises the integrity of that barrier. For these reasons, I believe it’s crucial to maintain strict control over 2FA codes and avoid any sharing that could potentially expose accounts to greater risk. |
Beta Was this translation helpful? Give feedback.
-
@vishnukvmd I see the timed sharing of codes was implemented! It looks great! Is there an option to share through a self-hosted server? Currently, the sharing is done through auth.ente.io even when sharing from a self-hosted instance. Has there been any further discussion on long-lived sharing? |
Beta Was this translation helpful? Give feedback.
-
Has any further thought been put into persistent shared codes (preferable via groups)? The ability to create shared groups, assign tokens(codes) to them (ideally like adding labels functionality), and assigning users who should have access to these groups is an important part of a credential management system. (as well as logging, so maybe shared codes don't display unless clicked, to facilitate a future logging capability) Since very few websites allow for multiple MFA credentials (let alone FIDO tokens) to be saved, and since it's quite common (especially in business) to need to share site credentials within groups (since not all websites allow users/teams), or with family where more than one person may need to access something (utilities, financials, shopping, delivery notification, etc), this leaves either copy/sharing the seed to multiple devices, putting the seed in a password manager (arguably breaking the 2FA purpose unless using a second password app) or shut off the extra MFA to allow access... The problem with putting the seed on each device means not having the ability to update them and have them propagate. Yes, this does create a revoking issue since we shared the seed, but you can just disable/enable MFA on the site and you get a new seed... (not that most people actually handle shared credentials properly anyways on staffing changes) |
Beta Was this translation helpful? Give feedback.
-
Either this could be long-lived (where we share the secrets themselves), or timed (where we share the generated codes for the next X minutes).
These two are separate requests, but creating a single discussion for now so folks can share their thoughts.
Beta Was this translation helpful? Give feedback.
All reactions