11-21-2017, 12:57 AM
Hi Troixoin,
My thoughts are that something unexpected could occur, and users may be able to bypass the 2FA check since is defaulted to true as you define it as true, and only change it to false if the check fails.
My recommendation is change this to false by default, and update to true only if the check passes.
That way you cover bases of something unexpected and users being able to gain access when they shouldn't.
This is all theoretical, but I think rejecting for all reasons and accepting for one versus the opposite is more secure and safer.
B.
My thoughts are that something unexpected could occur, and users may be able to bypass the 2FA check since
Code:
twoPassedMy recommendation is change this to false by default, and update to true only if the check passes.
That way you cover bases of something unexpected and users being able to gain access when they shouldn't.
This is all theoretical, but I think rejecting for all reasons and accepting for one versus the opposite is more secure and safer.
B.