Requested: Several customers The idea behind this is an emergency situation. For example: Company XYZ will be facing an audit, so they are establishing a 2FA for all user, mandatory. They are allowing LDAP PW, U2F and Smartphone. Now one of their users travels to a different country with no office close to his location, but he forgets the Yubikey at home. The idea now would be a secure way to log back in and to roll out, after the VPN connection is established, a different, in this case the smartphone, second factor. A factor, lets call it for simplicity "Emergency" would be selected in the chain selection and the user would be provided with a very long alphanumeric OTP. This OTP would then have to be spelled, digit by digit, to the admin at home, who would be able to generate a counter code (basically just a telephonic challenge response), which then will allow the user to log back into his machine. The admin then goes over the rollout process with the user and he will have a working 2FA again. Now there are certain things i would like to see for this method: -not visible on the first sight in the chain selection (something like a link in the bottom or so) -offline capabilities are mandatory
This method would be achievable by having a secret, like an OTP secret, distributed to the client on the first connection to the AAF server.
i like to stress this as we haven't seen anything similar in the product. This is one of the highest voted ideas. If you need more details, feel free to get in touch. Thanks!