Disable 2FA - owner's vouch clarification.
During the investigation of 213846 (internal link) I came to a problem where a user requesting 2FA disable turned out to be a member in multiple groups from which some are free and some are groups with a subscription.
In the particular case we have a free group named like group
and a paying group named GROUP
.
I have asked for a vouch from the GROUP
s owner, but it arrived from the other one (group
).
This could cause a security problem where a completely unrelated personnel could allow a user to regain access to a group with a subscription without that groups' owner being aware of.
Is it worth extending/amending our process described under User fails to prove account ownership, from
Most commonly, an Owner in the top level namespace vouch is requested. Use the Support::SaaS::2FA::2FA ask owner vouch
macro. The originating email of this request should match a verified email of the Owner's account.
to something like:
Most commonly, an Owner in the top level namespace (with a valid subscription) vouch is requested. Use the Support::SaaS::2FA::2FA ask owner vouch macro. The originating email of this request should match a verified email of the Owner's account.