We received a real support request to strip MFA, so should figure out how to let administrators strip MFA in the cluster.
The simplest approach is to provide access to auth strip from the console. However, this means that an attacker who compromises an administrator account that has MFA on an instance but no MFA on their cluster account can strip the instance MFA.
We can require encourage administrators to set up cluster MFA, but then we can't verify their identities if they need that stripped.
Some approaches for this might be:
- Implement backup codes (T6549) -- but this only mitigates the issue.
- Implement SMS MFA -- this is less secure than TOTP but also easier to use and less likely to get lost (hopefully).
- Warn users that we do not strip MFA for any reason and they must retain their backup codes.
- Creative out-of-band stuff? Like we could call the company if they have a phone number listed somewhere, but there's probably no side channel that we can employ in a reasonable number of cases.
- Timed unlocks (some discussion in T6549) or something in that vein.
- If we could accept payments from anonymous users, we could have users make a $1 payment with the same card to verify that they possess the card (or a card in the company name or their real name). This is how USPS verifies identity for address changes. We can't actually see the card number, but name + 4 digits is pretty compelling. However, they can't currently make a payment without logging into their account.