9
Map multiple authentication methods to same user
in progress
Activity
Newest
Oldest
Nicolas Giard
in progress
Nathan Green
I think this is already in the roadmap for 3.x, at "Account Linking" (https://docs.requarks.io/releases/roadmap#h-3x)
David Dearden
Just a note: I recently debated this exact feature with a team for a project I'm working on. In general we loved the idea, but it left a bit of a vulnerability. Say I have an account with 2FA that I use to sign in, but I also have an account with another identity provider that has no 2FA and a weak password, but the same email (maybe it was created for some testing or something). Then, if someone broke my weak account, they could access the sign-in with the less secure identity provider account. We settled on allowing the user to manually link the other identity providers to their account, but not doing it automatically when they try to sign in. That way it is up to the user to intentionally link it, and there are no surprise access loopholes.
tl;dr: great idea, don't link the account automatically
Rick Spencer
@David Dearden: Why not allow the user to determine their access levels (permissions) as a next step. This way security policies follow auth providers and auth discrepancies can be mitigated if the user elects to do so.