Skip to content

v0.2.0
Compare
Choose a tag to compare
@janko janko released this 28 Nov 23:34
· 67 commits to master since this release
v0.2.0
f9723af
This commit was signed with the committer’s verified signature.
janko Janko Marohnić
SSH Key Fingerprint: /pGp76ytthCw4hdToFUtJJFh2wUNZH8kQqkr2MU++Xs Learn about vigilant mode.

  • When a user is logged in via OmniAuth, and they've authenticated via password through the confirm_password feature, the session is no longer considered multifactor authenticated.

    This should be a safer default, considering that people still reuse passwords, so a database breach might allow the attacker to log into both accounts using the same credentials, and the developer might not be aware they've allowed using OmniAuth login as 2nd factor in the first place.

Assets 2
Loading