Change 2FA Workflow
Currently, 2FA workflow requires peer review before we send challenges to the customer which as far as security is concerned doesn't seem to be adding much value to the process when it's at that stage.
PROPASAL
- Have a macro with standard set of challenges that we send out immediately an agent establishes that account verification is the only way to go.
- After a user responds to the challenges, on an internal note;
- Do data classification
- Copy and paste the challenges and mark them as passed or failed
- Note the risk factor using the risk factor sheet
- Ask for peer review at this stage, here the peer will agree/disagree with the classification and risk factor and by association if 2FA will be deactivated.
Benefit
- This ensures that the decision to disable 2FA is what is important and not the challenges or the classification and ultimately increase security for our users.
- Saves the FRT
Opinions needed. Feel free to poke holes.
/cc @gl-support
Edited by Caroline Wainaina