2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
Concerned version
Version: 2.0.14
Platform: (Nginx/Apache/Node.js)
Summary
- Enable TOTP (or U2F, Yubikey, Webauthn)
- Set totp2fSelfRegistration to 0
- set totp2fSelfActivation to 1
- result: even if the user has no registered TOTP, TOTP is still offered, but does not work
Logs
[debug] Looking if totp2F is available
[debug] -> OK
Reason is clear:
if ( $self->conf->{totp2fSelfRegistration}
and $self->conf->{totp2fActivation} eq '1' )
{
$self->conf->{totp2fActivation} =
'$_2fDevices && $_2fDevices =~ /"type":\s*"TOTP"/s';
}
Meaning that if totp2fSelfRegistration
is disabled, the activation rule stays to 1
which is always true
Possible fixes
Is there a use case in which enabling TOTP, (U2F, WebAuthn), makes senses WITHOUT checking if the user has a registered device?
Note: in yubikey there is such a use case: getting yubikey ID from a session attribute instead of psession (yubikey2fFromSessionAttribute)