[Question] Handling of disabled factors

[maximbelyayev]

I have a question about how disabled factors should be handled.

Let's say a user has created a factor (e.g., registered FIDO2 device), but then subsequently disabled it and logged out.

Current situation: Upon login, if they want to access multifactor:home (i.e., the dashboard), they are redirected to multifactor:add to add another factor via RequireMultiAuthMixin.

Alt situation: Shouldn't they be able to access multifactor:home without being redirected to add another factor, so that they can re-authenticate if they want to perform re-enable/delete/other actions?

I'm just thinking about scenarios where a bad actor has gained access to an account with a disabled factor...

• In the current situation, the bad actor could potentially add/enable their own, new factor and lockout the user, as the user doesn't have access to this new factor.

• In the alt situation, maybe the bad actor should have to authenticate to the disabled factor before performing any enable/delete/other actions, so user isn't locked out and could regain control.

I'm just spitballing so apologies if I'm overlooking any obvious security concepts.

[StevenMapes]

The main issue I can think of about forcing someone to re-authenticate via a disabled factor that hasn't been removed. Is that if that disabled factor, is there only second form of authentication and it is a device or mechanism (physical fifo device, email, SMS, authenticator app), they no longer have access to then whilst this would stop bad actors, it would also stop legitimate users from being able to add any form of second authentication as they would be required to re-authenticate via a l mechanism being no longer have access to.

It is a good question though and perhaps something that could be controlled via a setting to allow people to choose the behaviour when they integrate?