Page MenuHomePhabricator

Improve consistency of MFA requirements to invite/approve users
Open, WishlistPublic

Description

See D19448. See https://hackerone.com/reports/351361.

We're currently inconsistent about MFA requirements for creating user accounts. On the main flow, you must MFA to create users after D19448. But you can still create users indirectly (by inviting or approving them) without MFA.

You can also edit Auth providers and enable registration without MFA.

Creating users isn't particularly dangerous, but could possibly be a tool that is used as part of a larger attack (for example, to extend illicit access). The current check is also effective at preventing the creation of special accounts (bots and mailing lists) without MFA, so it isn't entirely silly.

Probably, all of this should require MFA:

  • inviting users;
  • approving users;
  • managing Auth providers.

See also T7667 for additional controls around Auth provider management.

Event Timeline

epriestley triaged this task as Wishlist priority.May 14 2018, 2:14 PM
epriestley created this task.

From T13222, MFA on related flows should generally be updated.

  • Session MFA should be replaced with one-shot MFA where possible.
  • Retained session MFA should get workflow keys.