|
Isn't that a usability vs security trade-off? Asking naively as a non-expert here. In some systems, a password reset lets you bypass MFA. On Gitlab, however, you might be able to reset the password, but it will not let you bypass MFA (which was a nice mitigation for this CVE). I often wonder about this, because people's email should have fairly good security (MFA, detect new devices, suspicious IPs, alerts, etc), and MFA on the other service lets them have similar protections. Both services might not be bullet-proof, but an attacker will likely generate alerts in one or the other. Most of my users are very non-technical, and might not have access to their MFA (MFA reset requests are fairly frequent), so to be able to access using a one-time-secret sent by email seems like an acceptable compromise, especially if it means that more users will enable MFA. In systems I administer, less than 20% of users tend to enable MFA (it depends on org policy, and it's often optional). Speaking of, I wish services would do auth by: login -> MFA -> pass, instead of login -> reCaptcha -> pass -> MFA. Especially for scenarios where MFA is mandatory. Having reCaptcha is really annoying considering I went the extra step of enabling MFA (ex: Stripe, Quickbooks). |