two factor auth behaviour on /+decide reversed
Bug #930215 reported by
Simon Davy
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Confirmed
|
Low
|
Unassigned |
Bug Description
When a user set to require 2f, but is only logged in, not 2f'd, then they go to a decide page they get the decide page first and are then asked to two factor auth. Probably should be other way round - that if they don't even see the decide page till they've 2f'd
Not critical as user are unlikely to encounter this flow at all
Changed in canonical-identity-provider: | |
milestone: | 2-factor-internal-rollout → 2-factor-post-rollout |
Changed in canonical-identity-provider: | |
milestone: | 2-factor-post-rollout → none |
tags: | added: twofactor |
To post a comment you must log in.
This may actually be more common that initially thought. If the 2f auth in the session times out before the login cookie times out, they'll see this flow