Idea ID: 2790673

Offline emergency password

Status: Accepted
Requested: Several customers
The idea behind this is an emergency situation.
For example: Company XYZ will be facing an audit, so they are establishing a 2FA for all user, mandatory.
They are allowing LDAP PW, U2F and Smartphone. Now one of their users travels to a different country with no office close to his location, but he forgets the Yubikey at home.
The idea now would be a secure way to log back in and to roll out, after the VPN connection is established, a different, in this case the smartphone, second factor. A factor, lets call it for simplicity "Emergency" would be selected in the chain selection and the user would be provided with a very long alphanumeric OTP. This OTP would then have to be spelled, digit by digit, to the admin at home, who would be able to generate a counter code (basically just a telephonic challenge response), which then will allow the user to log back into his machine. The admin then goes over the rollout process with the user and he will have a working 2FA again.
Now there are certain things i would like to see for this method:
-not visible on the first sight in the chain selection (something like a link in the bottom or so)
-offline capabilities are mandatory

This method would be achievable by having a secret, like an OTP secret, distributed to the client on the first connection to the AAF server.

BR Dan

Tags: