View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0010648 | Taler | merchant backend | public | 2025-11-24 15:15 | 2025-11-24 18:12 |
| Reporter | sebasjm | Assigned To | |||
| Priority | normal | Severity | feature | Reproducibility | have not tried |
| Status | acknowledged | Resolution | open | ||
| Product Version | 1.0 | ||||
| Summary | 0010648: missing mfa validation | ||||
| Description | after the creation of a self provision instance with an verified email i can go to the instance settings and change the email to mr@evil.com and it will only require the validation of evil.com without requesting authorization of the first email backend should return 2 challenges with combi_and = true instead of one | ||||
| Tags | No tags attached. | ||||
|
|
Well, that's questionable. If you lost your original e-mail account, you should be able to change it. The usual policy is to require 2-FA *if* you have 3 factors configured. So if you have an e-mail and SMS and passphrase, you need 2/3 to change any. If you only have 2 factors, you only need the passphrase to change the other. At least that was the _intended_ policy, because otherwise if you only have either e-mail or SMS and loose that one (phone number or e-mail access) you can never change it. So basically, 2-FA only applies after you configure *3* factors. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-11-24 15:15 | sebasjm | New Issue | |
| 2025-11-24 18:12 | Christian Grothoff | Note Added: 0026602 | |
| 2025-11-24 18:12 | Christian Grothoff | Severity | minor => feature |
| 2025-11-24 18:12 | Christian Grothoff | Status | new => acknowledged |
| 2025-11-24 18:12 | Christian Grothoff | Product Version | => 1.0 |
