> So technically you can have something like: > - create OTP token and mark it disabled > - show OTP token configuration details to a user > - ask user for this token validation: enter a password and a value > - enable token > - verify token > - if verification fails, disable the token again Some of the "I'm locked out please disable my token" emails I've seen mention their browser crashing while displaying the token (I suppose it's not easy to enroll a token on your phone if you're viewing the page on your phone too, switching app can easily kill background apps on phones). In that case we wouldn't get a chance to disable the token after a failed validation. I would prefer not enabling a token until it's been verified, but if I don't find a way I'll try that, thanks for the suggestion. > > Again, there is no API in IPA to do that. Christian suggested a > > workaround where we could use a HOTP token to get a similar result, > > however the user would still need to enroll the hotp token, so if they > > can't enroll their TOTP or if it fails, there's little chance > > enrolling the HOTP token will not fail as well. > > You can enroll that token automatically and disable it. Could you explain a bit more how that would work for users? I'm not getting how a HOTP token could be used for recovery codes. Thanks for your input! Aurélien _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
