allow admin to generate a printout with temporary one-time passwords for an user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
User story:
As a SSO admin, I want to be able to generate a sheet of 10 valid tokens for a specific user from their admin profile so that I can provide them with temporary access to their account if they lose/forget their 2nd factor device.
Details:
Add a way for an admin to generate a printout sheet with 10 valid one-time passwords associated to an users account
Related work include:
- generate multiple OTP and associate them to the users account
- invalidate each used password after the first successful login (possibly keep them around with the date they were used)
- indicate the status of the passwords in the user's account detail page (used/unused)
- allow admin to invalidate set of OTP (in case the user lost the printout sheet)
Changed in canonical-identity-provider: | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: kb-feature sp-1 |
Changed in canonical-identity-provider: | |
milestone: | none → 2-factor-internal-production-ready |
Changed in canonical-identity-provider: | |
importance: | Medium → Low |
Changed in canonical-identity-provider: | |
milestone: | 2-factor-internal-production-ready → 2-factor-post-release-1 |
Changed in canonical-identity-provider: | |
milestone: | 2-factor-internal-rollout → 2-factor-post-rollout |
Changed in canonical-identity-provider: | |
importance: | Low → Wishlist |
milestone: | 2-factor-post-rollout → none |
Changed in canonical-identity-provider: | |
status: | Triaged → Won't Fix |
"(possibly keep them around with the date they were used)"
Remember that OATH/HOTP is a counter/event based OTP, so when a token is used, it automatically invalidates previous sequential tokens (generated with a lower counter value) and, on the other side, going too far ahead (exceeding the counter drift setting) will fail validation. The list of generated tokens should be enumerated and are designed to be entered in sequence. We probably shouldn't display the gen'd tokens after the first time - it should be up to the admin to mail/print/read them for the user at the time of generation.