20 Jan
2022
20 Jan
'22
3:16 p.m.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29894 --- Comment #10 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #4)
Still thinking about what we do now in registering: create secret, pass it out, get it back, etc. Easy way to build the qr but not pass the secret in that process?
The CSRF token protects the secret. Fine enough probably. Especially if we would send a notice when we register or deregister 2FA to inform the user about such a change. That notice might be a simple pragmatic additional precaution. -- You are receiving this mail because: You are watching all bug changes.