Hello!
I had a couple of questions regarding some things I noticed with MFA. I can't tell if they're bugs or security features.
First, Peer accounts. It appears no user is able to change the "Enable MFA" status from the "Peers" menu in the left-hand navigation. As far as I'm aware, that is only place a different administrator could disable MFA for a peer user in the event they lost their phone or were otherwise unable to enter the TOTP. My first thought was the permissions - perhaps an admin can change a help desk or CSR peer from the Peer account menu, but not admin to admin. However, I'm not able to change this option from the 'serveradmin' super user account either. I uncheck the option and select Update. It appears to take, however, when I navigate back to the Peer, it remains unchanged. The database remains untouched as well. Is this by design for some reason I'm missing? It creates a scenario where, if a Peer user needs their MFA reset, the only option I can see is to change the database directly, which I'd rather not do.
Second, the option to "Resend PIN" at the MFA prompt. It was raised as a security concern from some of our customers. I can see their point, as it effectively lets you sidestep the need to have the user's mobile device if you've compromised their email. I understand the attack would involve compromising the passwords of both SolidCP and their email, and the email itself should be protected with MFA. Funnily enough, it does provide a final bail out option for the first issue regarding a Peer account lockout. Is that the rationale behind this option? I can understand it's availability if the user doesn't setup an authenticator app and just uses email-based MFA, but I believe this option should be disabled if the user has a mobile device configured. I also believe it would be nice to provide a means for higher level administrators to disable MFA via the Peer account menu.
Thank you for bringing this security feature into SolidCP. It's been fantastic and setup was super easy. It's really just these points that have left me a little confused.