Request: option to disable “show QR code” in Profile

  • Resolved jaredratcliff

    (@jaredratcliff)


    10 months, 3 weeks ago

    I’d like to suggest an additional 2FA Policy, making it possible to disable the TOTP “show QR code” option on the Profile page. I believe having this QR code visible reduces security; if a third party was able to access a legitimate user’s logged-in device, they could scan the code and gain access to the user’s 2FA codes, without having to reset the 2FA configuration. The legitimate user would never know their 2FA configuration had been compromised.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Contributor robertabela

    (@robert681)

    Thank you for your feedback Jared.

    The role of 2FA is to harden / improve the authentication process. It does not come into play once the user is logged in. The same with password and any other authentication method.

    If a third party was able to access a legitimate user’s account via an already logged-in device, that account is already compromised. There is no 2FA, password or other security technology that can protect that account. The third party already has access to anything that account has access to.

    Hence why we always recommend a number of tools + user awareness, education and training to keep a website secure.

    Should you have any other questions, please do not hesitate to ask.

    Have a great weekend.

Viewing 1 replies (of 1 total)
  • The topic ‘Request: option to disable “show QR code” in Profile’ is closed to new replies.