Canonical SSO provider

allow user to generate a printout sheet of emergency one-time passwords

Bug #911942 reported by Ricardo Kirkner
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Wishlist
Unassigned
Canonical SSO provider public-rollout

Bug Description

User story:

As a SSO user, I want to generate a sheet of 10 valid tokens wwhich I can print out and keep in a safe place so that I can access my account in an emergency.

Details:

Add a way for an user to generate a printout sheet with 10 valid one-time passwords.

Related work include:

- generate multiple OTP and associate them to the users account
- invalidate each used password after the first successful login (possibly keep them around with the date they were used)
- indicate the status of the passwords in the user's account detail page (used/unused)
- allow user to invalidate set of OTP (in case he lost the printout sheet)

Revision history for this message
Stuart Metcalfe (stuartmetcalfe) wrote :

See related notes in bug #911951

Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
importance: Undecided → Medium
status: New → Triaged
David Owen (dsowen)
tags: added: kb-feature sp-1
Stuart Metcalfe (stuartmetcalfe)
Changed in canonical-identity-provider:
milestone: none → 2-factor-internal-production-ready
David Owen (dsowen)
Changed in canonical-identity-provider:
status: Triaged → In Progress
tags: added: sp-5
removed: sp-1
David Owen (dsowen)
Changed in canonical-identity-provider:
importance: Medium → Low
Stuart Metcalfe (stuartmetcalfe)
Changed in canonical-identity-provider:
milestone: 2-factor-internal-production-ready → 2-factor-post-release-1
status: In Progress → Confirmed
David Owen (dsowen)
Changed in canonical-identity-provider:
assignee: nobody → Simon Davy (bloodearnest)
status: Confirmed → In Progress
Stuart Metcalfe (stuartmetcalfe)
Changed in canonical-identity-provider:
milestone: 2-factor-internal-rollout → 2-factor-post-rollout
Revision history for this message
Selene ToyKeeper (toykeeper) wrote :

Could we bump up the importance on this? As more of the company starts using 2F auth, people are getting locked out more often. There have been 4 such cases in the past day (though this is higher than usual).

I'd like to tell users that they should use paper as a backup auth method, but very few are willing to do it manually. It'd be much nicer if SSO could give them a printable page and take care of the key and sequence counter on its own.

I suspect this would require some relatively shallow UI changes, a new page for the users to print, a new auth device type almost identical to the generic type, and an extra field in the database to keep track of where the sequence counter should be on the print-outs.

To help users keep their passcode sheets in order, it would be nice to indicate the sequence counter somehow. A couple ways to do it are to say "OTPs #50-99" at the top of the sheet, or perhaps just prefix each passcode with its counter like "57: 123456". This could also eliminate the need to store the highest-printed counter in the database, if users have a way to track it themselves, and would allow them to print a sheet twice if desired.

Stuart Metcalfe (stuartmetcalfe)
Changed in canonical-identity-provider:
importance: Low → Wishlist
assignee: Simon Davy (bloodearnest) → nobody
status: In Progress → Triaged
milestone: 2-factor-post-rollout → none
Ricardo Kirkner (ricardokirkner)
tags: added: twofactor
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
milestone: none → public-rollout
Daniel Manrique (roadmr)
Changed in canonical-identity-provider:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.