2FA Grace Period

[fungc-io]

Problem

What’s the use case? What have we seen that motivates us to work on this?

• When a company decided to roll out 2FA to its users, they need the user to set up the 2FA before making it mandatory
• When 2FA is mandatory, user without 2FA set up cannot complete the authentication.
  • This design is secure but also make it hard to roll out 2FA on existing system.

Appetite

How much time do we want to spend and how does that constrain the solution? (Usually 2 weeks or 6 weeks)

2 weeks

Solution

The solution, if involved UI changes, include Fat Marker Sketches

• Update the copywriting in portal which is a bit confusing:

  • From Mandatory, 2FA is required for all users to sign in, and would be asked to set it up
  • to Mandatory, 2FA is required for all users to sign in, and would be asked to set it up on sign up

• Introduce "Grace Period" when the 2FA is mandatory.

## Grace Period for 2FA

When 2FA is mandatory, the user cannot login if they don't have a secondary authenticator. 
You can enable the following option to roll out 2FA if it's not enabled before.

Ask existing users to setup 2FA on login
[Toggle] On/Off (Default off)

• When it's enabled, the user who don't have a supported 2FA will be asked to set it up after passing the primary authentication.

Migration from a 2FA method to another.

There is another case worth noting

• If the 2FA configuration changed, e.g.
  • originally the project support TOTP as 2FA
  • Now they turned off TOTP and want to switch to Phone OTP
  • The TOTP became an "unsupported" 2FA authenticator.
  • Next time the user login, after the primary authenticator, they will be asked to set up Phone OTP, then the user is logged in. The TOTP authenticator will be removed.

Rabbit holes

Details about the solution worth calling out to avoid problems

N/A

No-goes

Functionality or use cases we intentionally aren’t covering to fit the appetite

N/A

[linear[bot]]

DEV-1057 2FA Grace Period