twofactor_webauthn icon indicating copy to clipboard operation
twofactor_webauthn copied to clipboard

Published 20 hours ago verified publisher icon bartnv

Request key verification to disable two factor authentication

Open jbonor opened this issue 4 years ago • 6 comments
trafficstars

Hi, once enabled the plugin should request a key verification to disable the two factor authentication. BR.

jbonor avatar Sep 13 '21 16:09 jbonor

I'm not sure about this. What threat would this mitigate? Someone who finds an open session of yours and disables 2FA... and then what? That doesn't enable them to do anything more than they can already do with your open session. And the next time you log in yourself you'll notice it's not asking for 2FA so something must be wrong.

bartnv avatar Jan 24 '22 20:01 bartnv

Seems obvious to me: it will prevent someone that steals the authentication cookie or get into the account while the person is way from the device from taking over the account permanently. That is, if for changing password and/ or second-factor authentication both (password and second-factor) are again requested.

I'm betting many people would not have lost Youtube channels and Google accounts in general if Google requested besides the password also the second-factor for doing some account changes, specially security keys (FIDO U2F) that attackers can't grab the private key... at least that can stop the attack if the user doesn't authorize the action. Personally I like more FIDO2 because it allows setup a PIN that also stops people with access to the security key from using it (if they don't know the PIN). And yes, I do have FIDO2 security key with PIN enabled.

JohnPlanetary avatar Dec 02 '22 06:12 JohnPlanetary

That's a valid point. Before adding this feature though I think we'll need some admin tooling first, to deal with cases like someone losing their FIDO2 key(s) and getting locked out. Currently the admin would have to manually edit the serialized plugin data in the database, which is not great. I'll put this on my todo list.

bartnv avatar Dec 21 '22 11:12 bartnv

Just installed this plugin and had zero issues, just smooth sailing, thank you!

I think this feature request is a great idea!

Jieiku avatar Feb 19 '23 05:02 Jieiku

I've just pushed version 1.3 which adds this feature. Please test and let me know if this works as you expect it to.

bartnv avatar May 31 '23 15:05 bartnv

I gave this a test. It looks like it mostly works, but there is a minor (and non-security) bug I've run into. It occurs when you change a setting, go to save it, but click Cancel on the FIDO confirmation dialog instead of touching the FIDO key.

Below, a "config" is the state of the two checkboxes. I've named each one to make it more clear.

  • Start config: Start with Lock checked (and already saved), call this the "Start config".
  • Cancel config: make a change to one or both check boxes, click Save, click Cancel (of OS FIDO dialog).
  • Save config: make another change to one or both check boxes, click Save, touch FIDO key.
  • Refreshed config: refresh the browser to view the results.  
  • Expected results: the Refreshed config should match the Save config.
  • Actual results: Except for the case where the Start config and Save config are exact opposites, the Refreshed and Save configs do not match.

gurnec avatar May 31 '23 17:05 gurnec