F18: admin account has email-2FA only (no TOTP) #3

New issue

Open

opened 2026-05-06 10:56:40 +01:00 by s8n · 0 comments

s8n commented 2026-05-06 10:56:40 +01:00

Owner

Copy link

Severity: High
Status: Open

Admin account 2FA = email only. Email auth has weak link if SMTP provider compromised, mailbox compromised, or DNS hijacked. TOTP would give phishing-resistance.

Fix: Enroll TOTP on admin account in Authentik. Keep email-2FA as fallback (or recovery code).

Verification: s8n-ru admin login shows TOTP prompt before email.

Source: security/nullstone-server/2026-05-02.md §F18.

**Severity:** High **Status:** Open Admin account 2FA = email only. Email auth has weak link if SMTP provider compromised, mailbox compromised, or DNS hijacked. TOTP would give phishing-resistance. **Fix:** Enroll TOTP on admin account in Authentik. Keep email-2FA as fallback (or recovery code). **Verification:** `s8n-ru` admin login shows TOTP prompt before email. Source: `security/nullstone-server/2026-05-02.md` §F18.

s8n added the

audit

high

infra

security

labels 2026-05-06 10:56:40 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

backup/pre-rename-2026-05-07/main

No results found.

Labels

Clear labels   

audit

  

critical

  

deferred

  

high

  

infra

  

medium

  

security

No labels

audit

critical

deferred

high

infra

medium

security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/infra#3

No description provided.