Allow users to reset their password even with 2FA required
CompletedCurrently the Forgot Password functionality of the HTTP listener UI doesn't work if the 2FA is required.
The administrator must disable the 2FA for the user first in order for them to reset their password.
Please create option in the UI administration settings that we can allow an user to reset their password and 2FA token even with 2FA required option. (accepting a disclaimer of security vulnerability)
-
Official comment
We are happy to announce that beginning with release 12.7, Cerberus FTP server support self-service password reset for 2FA authentication.
Read more about it here - 2FA password reset
And access the complete release notes here to read about additional features and improvements in this version
-
Although I agree with this in principle, I think it needs to be a bit stronger than this.
Users should require to configure a secondary way to complete the 2FA should they have an issue with their prefered option, for example, if a user has lost access to their mobile app, they should be able to request a pin number/code to be sent to their registered email address to gain access. to simply allow someone to re-set their 2FA with a disclaimer makes 2FA a bit pointless.
1 -
Is this something that Cerberus is looking into. With Hundreds of users for our company it is time consuming to have someone basically manage passwords even though there is a capability to manage yourself... Only if you lower the authentication settings.
0 -
The application should require the current code from the Mobile Authenticator app and if verified allow the password reset in place, without mailing a link.
0
Please sign in to leave a comment.
Comments
4 comments