Require password reset for 2FA enrollment after requirement is enforced. #13763

ewdurbin · 2023-05-26T00:51:31Z

What's the problem this feature will solve?

Once we have required 2FA for uploads globally, we should require a password reset flow to be completed before allowing enrollment of a 2FA mechanism.

This keeps "abandoned" accounts from being hijacked by a simple password leak, with the caveat that a compromised email is a compromised email.

Describe the solution you'd like

After global 2FA requirement for upload is enforced, a user returning to enroll in 2FA should be required to complete a password reset flow. We can gate this on the "last password date" value for a given user.

di · 2024-01-02T17:42:10Z

Do we actually need to reset the password, or can we just do an email verification flow?

ewdurbin · 2024-04-02T14:25:00Z

I think #15692 closes this.

ewdurbin added feature request requires triaging maintainers need to do initial inspection of issue and removed requires triaging maintainers need to do initial inspection of issue labels May 26, 2023

dstufft added the 2FA label May 26, 2023

di mentioned this issue Jun 23, 2023

[meta] 2FA enforcement rollout #14010

Closed

22 tasks

ewdurbin closed this as completed Apr 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Require password reset for 2FA enrollment after requirement is enforced. #13763

Require password reset for 2FA enrollment after requirement is enforced. #13763

ewdurbin commented May 26, 2023 •

edited

Loading

di commented Jan 2, 2024

ewdurbin commented Apr 2, 2024

Require password reset for 2FA enrollment after requirement is enforced. #13763

Require password reset for 2FA enrollment after requirement is enforced. #13763

Comments

ewdurbin commented May 26, 2023 • edited Loading

di commented Jan 2, 2024

ewdurbin commented Apr 2, 2024

ewdurbin commented May 26, 2023 •

edited

Loading