yii2-usuario
yii2-usuario copied to clipboard
2amigos
Authenticator probelm
What steps will reproduce the problem?
Broke or lose your phone
What is the expected result?
Access to website without phone
What do you get instead?
Code from authenticator.
The authenticator must to save your browser after first time you logged in and ask you the code every time you try to connect from unknow browser. In this case it is request every time the authenticator code, but if you don't have anymore your phone, because lost or broke, you can not loggin in the website anymore.
There is some option in plugin? because in this way it is completely wrong.
So your requirement is to have a fallback procedure in case you enabled 2FA and are unable to access your phone?
something like that. For example with Facebook and other many apps, you don't need use 2FA every time if they already know your browser but you must to use it if you try to connect from other browser or computer.
So a Remember this device feature. Something that won't ask you for the 2FA code on every login, if the device has been trusted.
Synology does something like that. At login, if the device has authenticated successfully with 2FA at least once in the past you're not asked for the code.
If it's this what you're requiring please update the issue title to something more meaningful, or I'll do that. Thanks
something like that. For example with Facebook and other many apps, you don't need use 2FA every time if they already know your browser but you must to use it if you try to connect from other browser or computer.
On sites like Facebook that is fine, but on others where security is top priority, that is not the expected behavior. For example, a cryptocurrency exchange, it forces you to place the code no matter what.
I agree though that is necessary to have some sort of setting on the module that would allow different types of 2fa. Maybe browser recognition could be good.
Browser recognition/warnings if user tries to log from other device that is unknown maybe also a great feature to have.
I would split it in two here.
- Allow the remember-me option with 2fa.
- Create a fallback procedure in case of lost device.
There is a number of use cases for 2fa that do not require a finance-level security and re-prompting after all session endings. I think it should be a configuration option at least to allow setting the remember-me flag along with the 2fa authentication. Could be disabled by default but I think it should be possible to have it as an option.
Regarding the lost 2fa: maybe have an option for unauthenticated user to request a 2fa disabling via an e-mail link similarly to password reset functionality? Currently if 2fa device is lost it seems the only way around it is for requesting a 2fa disabling from site admin?
@TonisOrmisson
I think is a mix between what @maxxer state and you.
- Allow the remember device option with 2fa (that will decrease security and do not request 2fa if you log with trusted device)
- Provide alert mechanism to inform the user that a login has been performed from another device
- Implement fallback procedure to inform admin to rollback 2fa configuration.
About the fallback feature (solutions):
- Force register a phone number on recovery process. That will add extra cost according to carriers and services (Nexmo, Trillio, etc). Once registered and the code is received, 2fa could be switched from QRCode to SMS as an alternative to login (that would also be updated on user settings)
- Tell the users to use Authy (https://authy.com/features/backup/) as it has a way to backup your codes instead of Authenticator from Google.
- Allow disabling via mail token, no action is performed if token is not clicked by user.