Skip to content

Andre

← MongoDB Feedback Engine

My feedback

1 result found

  1. Improve 2FA and auth management

    10 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    6 comments  ·  Atlas » IAM  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    An error occurred while saving the comment
    Andre commented  · 

    Kushal, good suggestion. I would suggest as well, that it's a little more serious than just showing an indicator though. Consider:

    1. Setup 2FA on your account by logging in with your user/pass (org has 2FA mandatory set).
    2. Then, login to your account using Google Auth (matching email). There's nothing stopping you doing this and as admins we can't turn it off
    3. 2FA is now REMOVED from your account (silently, no notification to the user at all). Your email/password credentials are still valid though.
    4. Now, if an unauthorised user gets access to the user/pass and tries to login they are presented with a 2FA enrolment process. They complete this and take over the account.

    This isn't very secure and in fact is pretty much a nightmare scenario. One of two things needs so happen:

    1. Google auth doesn't remove the 2FA setting on the account OR
    2. Logging in via Google should clear your password credentials, making it impossible to login via user/pass

    At the moment, it's easy for a standard user to silently/unknowingly remove 2FA from their account and revert it to user/pass only.

    @Mongo can you fix this issue urgently pls. This is a significant security risk for cloud mongodb accounts.

Feedback and Knowledge Base

(thinking…)