1 result found
An error occurred while saving the commentAndre commented
Kushal, good suggestion. I would suggest as well, that it's a little more serious than just showing an indicator though. Consider:
1. Setup 2FA on your account by logging in with your user/pass (org has 2FA mandatory set).
2. Then, login to your account using Google Auth (matching email). There's nothing stopping you doing this and as admins we can't turn it off
3. 2FA is now REMOVED from your account (silently, no notification to the user at all). Your email/password credentials are still valid though.
4. Now, if an unauthorised user gets access to the user/pass and tries to login they are presented with a 2FA enrolment process. They complete this and take over the account.
This isn't very secure and in fact is pretty much a nightmare scenario. One of two things needs so happen:
1. Google auth doesn't remove the 2FA setting on the account OR
2. Logging in via Google should clear your password credentials, making it impossible to login via user/pass
At the moment, it's easy for a standard user to silently/unknowingly remove 2FA from their account and revert it to user/pass only.
@Mongo can you fix this issue urgently pls. This is a significant security risk for cloud mongodb accounts.