Reset secret for Google Authenticator on re-enabling.
Currently, if you disable 2FA and enable it again for the same account, the same secret is used (from psa db). That is a security risk because if 2FA was disabled due to the fact that a phone was lost. The next time 2FA is enabled for the same account a new secret should be generated. Otherwise, the lost phone still will be able to generate a valid code.
Implement this feature to be default behaviour or at least add a button "regenerate secret".
Related links:
https://talk.plesk.com/threads/how-to-disable-google-multi-factor-authentication-in-mysql.312675/
4
votes
Alexandr Movergan
shared this idea
We are glad to inform you that from Plesk 18.0.65 the MFA secret key is now regenerated when the MFA feature is reactivated for a user. Thank you for helping us make Plesk better.
-- SH