How to disable reauthentication when generating recovery codes for MFA?

[joseseb91]

When generating new recovery codes, we want to skip the reauthentication flow here
GenerateRecoveryCodesView does not check ACCOUNT_REAUTHENTICATION_REQUIRED configuration
Can this be made to be skippable with this configuration?

[pennersr]

What is the use case for wanting to do so? It will enable somebody to sneak behind your computer while you are grabbing a coffee and change the recovery codes.

[joseseb91]

Hi @pennersr , apologies for the delayed response.

I don’t have a complete history of the authentication implementation at the company I’m contracted with. I’m currently updating Allauth and transitioning from the allauth-2fa package to Allauth’s built-in MFA for two-factor authentication.

We use SAML/OAuth SSO for some clients and SingPass login. Based on feedback from the QA team, I’ve learned that 2FA isn’t part of the authentication process for any of these methods. However, the recovery codes page is still visible in the profile settings for these users, which seems unnecessary—I’m considering hiding this page.

Is it common practice to add internal 2FA when authentication is already handled by external IDPs? Would this be a valid use case for setting ACCOUNT_REAUTHENTICATION_REQUIRED = False to avoid reauthentication in such scenarios?

[joseseb91]

also @pennersr could you help understand how the clocks could get out of sync between 2FA device and application?

Now we are facing some issues where even new mfa activation and authentication has some 10 second clock out of sync issue, not sure if its a bug related to QR code or something else. There wasnt any issue with allauth-2fa. Even for migrated users there ws some sync issue.

Keeping MFA_TOTP_TOLERANCE to values above 10 or 15 feels unsafe.

Using django 4.2 and allauth 65.3.0

added issue here
https://codeberg.org/allauth/django-allauth/issues/4244