Improve accountability of 2FA devices
Currently, there is not much consistency when it comes to accounting 2FA operations (device add, use, deletion).
- Some logs use type + name (TOTP add)
- Some logs use type only (TOTP delete, using 2F to log in)
- Some logs use type + epoch (WebAuthn add)
- Some operations are not logged at all (Webauthn delete, manager delete, API delete)
And the format differs everytime
We should decide what to log exactly (name? epoch? both), use a common format (123456789@TOTP ? [TOTP]My_iphone ?) and log all the information everytime a 2FA device is involved
What are your opinions on what to log @clement_oudot / @maudoux ? Is epoch (a technical ID) more interesting than name (a user-supplied string) ?