An issue I see is that when using Multi-Factor Auth the same user can create multiple accounts with the same cell number / guardian app. I don’t mind this per-say, but is there a way to block all users that use a specific number/device?
Just to get some more understanding you issue. Are you talking about device binding i.e only one device can generate valid OTP?
Kinda; I want a way to track if someone used the same devices for OTP on different accounts (so rather than one device generating OTP, I’d want only one account to have a specific OTP source). If preventing using the same SMS/guardian app to make multiple accounts is easiest I’m fine doing that, but blocking them all after the fact is fine too.
-Create an account via email and use guardian app/SMS to log on; success! -does something block worthy-
-Creates a second account using same SMS/app, letting them easily do it again.
I’d like to either be able to ban both at once (based on using same MFA source) or as you mentioned device binding works too.