Re: Is it possible to reset otp 2fa data for one single user

[Nick Couchman <vn...@apache.org>]

On Tue, Mar 17, 2020 at 05:45 Marco Agostini <
agostinimarco@comune.levico-terme.tn.it> wrote:

> ----- Messaggio originale -----
> > Da: "ccoborgers" <ol...@chefsculinar.de>
> > A: "user" <us...@guacamole.apache.org>
> > Inviato: Martedì, 17 marzo 2020 10:29:35
> > Oggetto: Re: Is it possible to reset otp 2fa data for one single user
>
> > Thanks :)
> >
> > I was looking for such a sql statement
> >
> > But is it ok or better is it safe enough to delete only the confirmation
> > flag without clearing the secret?
> >
> Depends If your user have lost the phone :-)
> In that case I prefer to destroy the user and recreate it.
>

I'm not sure about deleting the entire user account, but you can clear out
the TOTP secret attribute and this will result in the user getting prompted
to reconfigure TOTP with a fresh secret key, which is certainly more
secure.  If the user is doing something like switching phones or wants to
add another device with the same TOTP key, clearing the confirm flag may be
sufficient.

Related to this, there is a JIRA issue for this functionality in the admin
interface - you're definitely not the first to request it.  I've got it
mostly working - pull request is under review:

https://issues.apache.org/jira/browse/GUACAMOLE-770
https://github.com/apache/guacamole-client/pull/495

-Nick