Provide a policy controlled way to reset factors from the web UI
Open, Needs TriagePublic

Description

We have this happen often enough that it's relegated to support staff. It's not ideal to give support staff command line access to our phab instance. It would be nice if there was a "high security" place to go to that had a button someone could press, and an associated capability for resetting authentication factors when our employees lose their phones.

In the general case, as with the upstream cluster (T7639) I think the quorum thing in T9515 that @eadler mentions is the most promising way forward to reduce MFA support costs. Briefly, it would work like this:

  • Ahead of time, you list other users who you trust to verify your identity (e.g., coworkers on your team).
  • After losing your phone, you click "Lost my MFA" to get a reset link.
  • In person, you convince N of your pre-approved contacts to visit that link and authorize a reset.

This is sort of overkill if you can verify identities in person. It's technically straightforward to implement a magic button that strips MFA without all this quorum stuff, but then you end up with degenerate cases like this:

  • Compromise any administrator account.
  • Change the MFA policy to "anyone".
  • Strip MFA off all other accounts.

There are ways to avoid this with the policy.locked configuration setting, but they're complicated and in practice probably no one would do that. At the least, the path of least resistance would effectively mean "compromising any administrator account or any support account is sufficient to strip MFA from all accounts", which I don't love.

(And no matter what the policy is, this allows attackers to compromise a support account and then strip MFA from a "better" account, upgrading access.)

eadler added a project: Restricted Project.Sep 15 2016, 6:03 PM