You have a very good content in here, I must say this is one of the best spring security tutorial on TH-cam... But you didn't cover a case where the user removed the application from the authenticator. e.g I have been authenticated by application xyz and mistakenly removed xyz from my authenticator, how can one be reauthenticate so xyz is added again to the authenticator?
for me the application is not working as expected. Can you tell me what is the username password you are using and how to use spring mfa screen with ip address?
8 หลายเดือนก่อน
Any pointer on what changes would be required when having a login page and (optionally) requesting the otp on the following page ?
That is a great question! For starters, I'd issue recovery codes when a new MFA device is attached, so users can store these recovery codes somewhere safe and use them in case their MFA device is no longer available. Secondly, I'd allow users to request a reset in which case an email with a one-time link (similar to what I've described here th-cam.com/video/4ES-TZ61ZTM/w-d-xo.html) is sent to them so they can attach a new MFA device.
Hey, thanks for the comment! What do you mean by stateless? The application is already configured to not use sessions and each request is handled independently without using shared state.
Grab the code here axgr.dev/posts/spring-security-mfa/?
Thanks for the video! It`s very cool and useful =)
Glad it's useful!
You have a very good content in here, I must say this is one of the best spring security tutorial on TH-cam... But you didn't cover a case where the user removed the application from the authenticator. e.g I have been authenticated by application xyz and mistakenly removed xyz from my authenticator, how can one be reauthenticate so xyz is added again to the authenticator?
for me the application is not working as expected. Can you tell me what is the username password you are using and how to use spring mfa screen with ip address?
Any pointer on what changes would be required when having a login page and (optionally) requesting the otp on the following page ?
That should be doable with the setup I have in the video. The frontend just needs to check for the headers to see if MFA authentication is required.
what if a user lost his mobile phone and wants to reset mfa?
That is a great question! For starters, I'd issue recovery codes when a new MFA device is attached, so users can store these recovery codes somewhere safe and use them in case their MFA device is no longer available. Secondly, I'd allow users to request a reset in which case an email with a one-time link (similar to what I've described here th-cam.com/video/4ES-TZ61ZTM/w-d-xo.html) is sent to them so they can attach a new MFA device.
How to do it, stateless
Hey, thanks for the comment! What do you mean by stateless? The application is already configured to not use sessions and each request is handled independently without using shared state.