weakforced icon indicating copy to clipboard operation
weakforced copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

[FEATURE] Add explicit support for 2FA systems

Open sshipway opened this issue 5 years ago • 3 comments

Is your feature request related to a problem? Please describe. Two-factor auth systems are currently able to use Weakforced protection. However, when using a 2FA system you might wish to say that, under certain conditions, a second factor is or is not required depending on history. For example, if a user is logging in from a 'home' country then a correct password is sufficient, but if from overseas then 2FA is necessary.

Describe the solution you'd like The -1 response currently means 'deny'. Adding a new standard response, -2, which means 'second factor required' would allow systems to handle this situation. WFD would not handle this additional authentication of course but potentially an agent would take a -2 response to prompt for additional credentials before making a final call to WFD This is backwards-compatible since -2 is currently a 'deny' state.

Describe alternatives you've considered The system can already return a -2 of course but unless this state is in the API spec then it is always at risk of being used for something else in the future. Returning additional data in the other attributes is also possible but unless there is official support then it will discourage use.

This should not require any additional code changes but only a documentation change to reserve the -2 response code for this purpose. It might be worthwhile also reserving -3 to be 'three factors required' though that could be overkill and better handled via a secondary attribute.

sshipway avatar Oct 13 '19 23:10 sshipway

Hmm, I'm loath to give an official way to tell the client to use MFA by adding additional return codes. The way I handle this in the weakforce-policy repo is to return "suspiciousLogin=1" in the additional attrs. I could add documentation for that, and make that the official way to indicate that something like MFA should be done.

neilcook avatar Oct 14 '19 09:10 neilcook

Is weakforce-policy repo public?

jonmoesli avatar Jan 06 '21 13:01 jonmoesli

Is weakforce-policy repo public?

No, it's a proprietary repo that is part of the "commercial" version of wforce sold by Open-Xchange (as "OX Abuse Shield").

neilcook avatar Jan 06 '21 13:01 neilcook