moodle-tool_mfa icon indicating copy to clipboard operation
moodle-tool_mfa copied to clipboard
verified publisher icon catalyst

Add recent login email + notification

Open brendanheywood opened this issue 6 years ago • 3 comments

If you have been logged in on this device before then that counts for something rather than being on a completely unknown device.

This could work by storing and comparing moodle old session id's or previous ip addresses or some combination.

We probably need a after_login method for factors as we only want to store things when we know we've gotten all the way through MFA. And in this method for this factor we'd store the new ip or session cookie value ourselves in user prefs and manage it directly.

brendanheywood avatar Oct 27 '19 06:10 brendanheywood

Here is an example of an email sent by cloudflare when from a new device. This could be easily bundled into this plugin. You don't need to actually do anything with the email it's just an FYI, but it could have a 'this wasn't me' button, the same as the email factor. We'd want to share some logic for that.

Hi,

Your security is very important to us. This email address was used to access the Cloudflare dashboard from a new IP address:

email: BLAH BLAH time: 2019-10-29 00:20:26 UTC IP address: 1.136.105.105 browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

If this was you, you can ignore this alert. If you suspect any suspicious activity on your account, please change your password and enable two-factor authentication: https://dash.cloudflare.com/profile

If you have any questions or concerns, don't hesitate to get in touch: [email protected]

Best,

Cloudflare Team

brendanheywood avatar Oct 29 '19 01:10 brendanheywood

Proposal:

A cookie with a code stored on the client side, provided to the auth page to verify.

Requirements for cookie:

  • There is only one presented code.
  • An incorrect cookie with a current timestamp should be an instant factor lock
  • The IP coming in with a cookie MUST be the same as a 'lastverified' and that must have been within 24 hrs.
  • The cookie can only be set by an input factor, and ONLY if an input factor was used to verify

Considerations: This is a potential weakening of MFA due to device theft etc. Integrate with other factors. Factor reliance API? Might be achievable with just points

Peterburnett avatar Jan 17 '22 02:01 Peterburnett

Above proposal continued in #48

Peterburnett avatar Jan 17 '22 03:01 Peterburnett