OTP - Personal backup codes
having an TOTP authenticator for multi-factor authentication is pretty handy and a huge benefit for the customers, because it comes free of charge for local stored (on-appliance) users.
I was playing around with it for a while and came across the personal backup codes, which a user can download when logged in and Options are enabled. These kind of ICE codes can come in handy, but it would be great to have more granular over that feature.
When the TOTP authenticator is unbound, the personal backup codes still work until all are used. There is no way to unbind the list of personal backup codes, just in case they got compromised. The only way is to delete the user, which can be unfortunate when user-specific settings are done.
Another aspect is, when Options are enabled for the portal, the user can unbind the authenticator app, there is no way for the user (or the administrator) to generate the personal backup codes without compromising the app binding.
Maybe this can be addressed more granular in a future release.
/// official fan of SSL-VPN -> SRA -> SMA since 2006 \\\