Web Development

5499 readers

20 users here now

Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development

What is web development?

Web development is the process of creating websites or web applications

Rules/Guidelines

Follow the programming.dev site rules
Keep content related to web development
If what you're posting relates to one of the related communities, crosspost it into there to help them grow
If youre posting an article older than two years put the year it was made in brackets after the title

Related Communities

Wormhole

!cool_github_projects@programming.dev

Some webdev blogs

Not sure what to post in here? Want some web development related things to read?

Heres a couple blogs that have web development related content

https://frontendfoc.us/ - [RSS]
https://wesbos.com/blog
https://davidwalsh.name/ - [RSS]
https://www.nngroup.com/articles/
https://sia.codes/posts/ - [RSS]
https://www.smashingmagazine.com/ - [RSS]
https://www.bennadel.com/ - [RSS]
https://web.dev/ - [RSS]

Credits

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

snowe@programming.dev

erlingur@programming.dev

Ategon@programming.dev

Best practice for resetting a user's MFA? (startrek.website)

submitted 2 days ago* (last edited 2 days ago) by IcedRaktajino@startrek.website to c/webdev@programming.dev

5 comments fedilink hide all child comments

I'm putting together an API for a project, and one of the requirements is MFA. I'm using TOTP and that all works. I also have facilities to clear the MFA token and regenerate / re-enroll the secret, but I'm wondering what the best practice is for invoking that.

Essentially I need a "forgot password" but for their MFA method (e.g. if they lose their phone or MFA secret).

Would a valid password + validation email be sufficient? Or should I require the user to contact the administrators to reset the MFA? Or something else?

Implementation Notes:

MFA is required for a password reset, so if their email is compromised, the attacker wouldn't necessarily be able to set a new password
A valid email address is required and verified at signup.
If they lose access to their email and MFA, they will have to contact the application administrators for assistance.
This isn't a "high stakes" application (e.g not banking, healthcare, etc) but I do want to make sure accounts are reasonably secure.

you are viewing a single comment's thread
view the rest of the comments

[–] tapdattl@lemmy.world 1 points 2 days ago

My work has us call a helpdesk which verifies our ID (based off the number we're calling from and other info) then gives us a one-time password to reset all our login info