MFA: unique trust key for each trusted machine

[gbarbon]

Is your feature request related to a problem? Please describe. The current MFA implementation is using the same trust key for all the trusted machines (browsers) for a given User. It would be better to use a unique trust key for each trusted machine (browser).

Describe the solution you'd like The trust keys can be represented as a list of elements, embedded in the MfaOption object. When a new browser is trusted, a new element is added to the list. When a user performs the login using a trust key, the whole list of trust keys is traversed searching for the trust key that match.

The 'disable trust' functionality should instead remain global, thus remove all the associated trust keys. Moreover, the number of max trust key should be limited with a dedicated Kapua property.

Describe alternatives you've considered PR #3166 already partially address the problem, by reducing the number of trusted machine to a single one.

Additional context Note that however, after the merge of PR #3166 , traversing the list of trust key could be expensive in terms of performances, since trust keys are encrypted with BCrypt. This means that each trust key must be evaluated with the passed trust key using BCrypt.checkpw. A possible solution could be to enrich the cookie name with further information that identifies the combination of username+browser+machine, and enrich the trust key in the backend too with this information. Then, it could be sufficient to compare only these names, and, only if they match, perform the BCrypt.checkpw.