New Features¶ ↑

An otp_unlock feature has been added, allowing a user to unlock TOTP authentication with 3 consecutive successful TOTP authentications. Previously, once TOTP authentication was locked out, there was no way for the user to unlock it.

Any unsuccessful TOTP authentication during the unlock process prevents unlocks attempts for a configurable amount of time (15 minutes by default). By default, this limits brute force attempts to unlock TOTP authentication to less than 10^2 per day, with the odds of a successful unlock in each attempt being 1 in 10^18.
An otp_lockout_email feature has been added for emailing the user when their TOTP authentication has been locked out or unlocked, and when there has been a failed unlock attempt.
An otp_modify_email feature has been added for emailing the user when TOTP authentication has been setup or disabled for their account.
A webauthn_modify_email feature has been added for emailing the user when a WebAuthn authenticator has been added or removed from their account.
An account_from_id configuration method has been added for loading the account with the given account id.
A strftime_format configuration method has been added for configuring how Time values are formatted for display to the user.

Improvements¶ ↑