starred/healthchecks
1
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-25 15:05:49 +03:00
Code Issues 56 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #269] Ability to select valid authentication modes #199

New issue
Closed
opened 2026-02-25 23:41:34 +03:00 by kerem · 3 comments
kerem commented 2026-02-25 23:41:34 +03:00
Owner
Copy link

Originally created by @dalee-bis on GitHub (Jul 19, 2019).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/269

Due to security requirements, we may not be allowed to use login links for accounts. Would it be possible to add an option so that this can be disabled for an account? Something like a setting on the account which allows you to select valid login options from Login Link, Password or Both.

Originally created by @dalee-bis on GitHub (Jul 19, 2019). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/269 Due to security requirements, we may not be allowed to use login links for accounts. Would it be possible to add an option so that this can be disabled for an account? Something like a setting on the account which allows you to select valid login options from Login Link, Password or Both.
kerem closed this issue 2026-02-25 23:41:34 +03:00
kerem commented 2026-02-25 23:41:34 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jul 19, 2019):

Yes, that could be added. Would have to think what to do in "Forgot Password" cases then too.

Out of curiosity, what's the rationale for that requirement?

<!-- gh-comment-id:513261760 --> @cuu508 commented on GitHub (Jul 19, 2019): Yes, that could be added. Would have to think what to do in "Forgot Password" cases then too. Out of curiosity, what's the rationale for that requirement?
kerem commented 2026-02-25 23:41:34 +03:00
Author
Owner
Copy link

@dalee-bis commented on GitHub (Jul 19, 2019):

Good point about the forgot password.

It's when using a mailing list for the login. It's a single point of failure if only one person has administrator on an account (which I believe is the current setup with Owner and Member?).

The idea was to use a mailing list for the main account and have only a small team with access to the password for admin access (very infrequently required). The practice is already in place of limiting access to a password so it would be an easier sell to the security board than having to define how we protect from anyone who is on a mailing list gaining access. I expect the login links are technically more secure but, from a social engineering perspective, it's much easier to get yourself added to a mailing list than to gain access to a password safe.

<!-- gh-comment-id:513265498 --> @dalee-bis commented on GitHub (Jul 19, 2019): Good point about the forgot password. It's when using a mailing list for the login. It's a single point of failure if only one person has administrator on an account (which I believe is the current setup with Owner and Member?). The idea was to use a mailing list for the main account and have only a small team with access to the password for admin access (very infrequently required). The practice is already in place of limiting access to a password so it would be an easier sell to the security board than having to define how we protect from anyone who is on a mailing list gaining access. I expect the login links are technically more secure but, from a social engineering perspective, it's much easier to get yourself added to a mailing list than to gain access to a password safe.
kerem commented 2026-02-25 23:41:34 +03:00
Author
Owner
Copy link

@cuu508 commented on GitHub (Jul 19, 2019):

OK, to repharase (and make sure I understand correctly):

  • You would prefer to use a mailing list over a single user's email for login, to guard against the single user losing access, and so the whole organization losing access
  • But, you would prefer password-only login over a mailing list, because access to password vault is easier to guard than access to the mailing list

If that's accurate, how about:

  • Create a dedicated email address that will own the Healthchecks account. For example, healthchecks-admin@myorg.com
  • Store credentials for that email address in the password vault
  • To make logging into Healthchecks.io easier, also set a password on the account, and store that password in the vault too

How does that sound?

Just for reference, in case it's useful, here's what I currently do when I get requests to restore lost access. Say, an employee leaves the company and their colleague wants to take over the company account. In these cases I contact the former employee and get their consent to transfer the ownership. If that's not possible, but the new colleague 1) has the same company-specific email domain 2) is already a team member, that's good enough too and I transfer the ownership.

<!-- gh-comment-id:513303110 --> @cuu508 commented on GitHub (Jul 19, 2019): OK, to repharase (and make sure I understand correctly): * You would prefer to use a mailing list over a single user's email for login, to guard against the single user losing access, and so the whole organization losing access * But, you would prefer password-only login over a mailing list, because access to password vault is easier to guard than access to the mailing list If that's accurate, how about: * Create a dedicated email address that will own the Healthchecks account. For example, healthchecks-admin@myorg.com * Store credentials for *that* email address in the password vault * To make logging into Healthchecks.io easier, also set a password on the account, and store that password in the vault too How does that sound? Just for reference, in case it's useful, here's what I currently do when I get requests to restore lost access. Say, an employee leaves the company and their colleague wants to take over the company account. In these cases I contact the former employee and get their consent to transfer the ownership. If that's not possible, but the new colleague 1) has the same company-specific email domain 2) is already a team member, that's good enough too and I transfer the ownership.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
py2
v4.1.1
v4.1
v4.0
v3.13
v3.12
v3.11.2
v3.11.1
v3.11
v3.10
v3.9
v3.8.2
v3.8.1
v3.8
v3.7
v3.6
v3.5.2
v3.5.1
v3.5
v3.4
v3.3
v3.2
v3.1
v3.0.1
v3.0
v2.10
v2.9.2
v2.9.1
v2.9
v2.8.1
v2.8
v2.7
v2.6.1
v2.6
v2.5
v2.4.1
v2.4
v2.3
v2.2.1
v2.2
v2.1
v2.0.1
v2.0
v1.25.0
v1.24.1
v1.24.0
v1.23.1
v1.23.0
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.0
v1.5.0
v1.4.0
v1.3.0
v1.2.0
v1.1.0
v1.0.4
v1.0.3
v1.0.2
1.0.2
v1.0.1
v1.0
Labels
Clear labels   
bug

   
bug

   
bug

   
feature

   
good-first-issue

   
new integration

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
bug
bug
feature
good-first-issue
new integration
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/healthchecks#199
No description provided.