Support » Plugin: Google Authenticator » Why no backup codes?

  • shahabsiavash

    (@shahabsiavash)


    One thing is that I don’t really know how one should login if for any reason the phone is missing or GA doesn’t work? The only solution would be removing the app?

    And once I deactivated the plugin and it still would show the GA field.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Henrik Schack

    (@henrikschack)

    It would not show the GA field if you deactivate the plugin

    shahabsiavash

    (@shahabsiavash)

    Maybe it was Cloudflare. I will test again and send the result.

    Again could you please tell me that is it true that there is no alternative way (like backup codes, email, sms,…) to enter the site when you don’t have your phone?

    So the only solution is removing the plugin? And why not more options? Is it technical?

    Henrik Schack

    (@henrikschack)

    Backup codes are static passwords that grant access, and should, in my opinion, be avoided when possible.
    Here it’s possible to avoid, that’s the reason.

    shahabsiavash

    (@shahabsiavash)

    Reasonable. But if I may ask what do you think about SMS or at least email? Whether we want or not among +30,000 user some of them could lose their phone or something like that.

    And I think you don’t mention the FTP solution in the plugin page, so people wouldn’t know about that either. 🙂

    P.S: I have translated your plugin into Persian. If you like to add that to the plugin I can send it over.

    Ian Dunn

    (@iandunn)

    I agree with @henrikschack. If a regular user gets locked out, the admin can deactivate 2FA for their account.

    If an admin gets locked out, they can disable the plugin via SFTP, MySQL, etc. It wouldn’t hurt to add some documentation for that, though.

    SMS in particular is not a secure method for transmitting anything sensitive:

    https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

    Recovering accounts with 2FA enabled should require multiple authentication factors as well, otherwise 2FA is pointless.

    shahabsiavash

    (@shahabsiavash)

    Good read. I didn’t know about that. Thanks for the link.

    I guess the only thing remains is letting the users to know about the FTP.

    Just to clarify. If I do lose my phone all I need to do is go into the plugins folder via FTP and delete the folder for this plugin so I can thereafter get in via a username and password. Correct?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Why no backup codes?’ is closed to new replies.