FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. stephen
    3. Best
    S
    • Profile
    • Following 0
    • Followers 0
    • Topics 4
    • Posts 13
    • Best 5
    • Controversial 0
    • Groups 0

    Best posts made by stephen

    • Is it possible to disable two-factor without providing the two-factor code?

      Hello,

      We're implementing two-factor authentication in our application and want to provide a path for a user if they are no longer able to generate a two-factor code. This would happen if they lost their device or the device was destroyed by being thrown into a volcano like the One Ring.

      The two ways I've seen this handled in other systems are:

      • Provide an API endpoint that requires API Key Authentication and doesn't require a two-factor code so that we can develop an API endpoint that a Global Administrator can use to allow the affected user to bypass two-factor.
      • Provide one or more recovery codes that a user can enter to bypass entering the two-factor code

      I'm not sure if I'm missing a way to do either of these or there are any other recommended solutions to handle this use case.

      Thanks for helping out,
      Stephen

      posted in Q&A
      S
      stephen
    • RE: Is it possible to disable two-factor without providing the two-factor code?

      Thanks for the reply!

      I didn't realize you could turn off the two-factor by patching the user. Thanks for pointing me in the correct direction.

      posted in Q&A
      S
      stephen
    • RE: Is it possible to disable two-factor without providing the two-factor code?

      Thanks for adding an issue for this

      posted in Q&A
      S
      stephen
    • How long does the email template changePasswordId id last before it expires? How can invitation expiration be implemented?

      Hello,

      For future users that land on this topic, I've figured out an answer for the first question—"How long does the email template changePasswordId id last before it expires?". The Account Created email has a variable in it called changePasswordId in it that you can use it to the reset the users password by passing it to the Change a User’s Password API. The expiration time setting for this changePasswordId is called Setup Password in the FusionAuth settings. There is a different expiration time setting for the changePasswordId that is returned from the Start Forgot Password Workflow. That changePasswordId setting is called Change Password. Both of these expiration time settings can be adjusted in the FusionAuth UI by navigating to the advanced settings of the tenant.

      I've ran into some issues with the invitation flow and providing a good experience to the users of our application. One issue I'm having is that is that there is no way to distinguish an error for the invite user flow from an error on a reset password flow. This means that I can't display "Your invite has expired" to the user, I can only give them a generic, your invite didn't work message with no direction for recourse other than telling them that they can reset their password to get their account back. This is not a desirable behavior for our application. Please let me know if there are any solutions to this that I'm missing.

      The workflow I would like to achieve in our application UI is the following:

      • Invites expire after 7 days
      • In the list of users I can see what users have accepted the invite and which haven't
      • If user's invite has expired, an admin can resend them the invite

      There doesn't seem to be the concept of invites expiring in FusionAuth (Email Verification can expire, but that doesn't prevent change password requests). What I'm thinking I would need to do to achieve this is the following:

      • Set Email Verification in the advanced tenant settings to 7 days (604800 seconds)
      • Store a boolean for if the password has been initially set—this will let us know if the invite has been accepted. We can call this hasInviteBeenAccepted.
      • Intercept the complete reset password API
        • If 7 days have not passed, reset the password and set hasInviteBeenAccepted to true
        • If 7 days have passed and hasInviteBeenAccepted is false, return an error
      • If 7 days have passed
        • Remove application registration to deny login attempts
        • If hasInviteBeenAccepted is false, display a button on the users screen for admins that allow them to resend the invite. The user will also need to be reregistered to the application.
          • I think the only way to resend the initial invite is to remove the user and recreate them
      • Intercept the initiate password reset request
        • If hasInviteBeenAccepted is false, return an error
        • If hasInviteBeenAccepted is true, initiate the password reset request

      Am I missing anything? Are there any suggestions for a better workflow for this?

      Is this something that makes sense to be included as a feature of FusionAuth?

      Thanks,
      Stephen

      posted in Q&A
      S
      stephen
    • RE: How long does the email template changePasswordId id last before it expires? How can invitation expiration be implemented?

      Added a feature request for this issue: https://github.com/FusionAuth/fusionauth-issues/issues/904

      posted in Q&A
      S
      stephen