securedrop icon indicating copy to clipboard operation
securedrop copied to clipboard

Published 20 hours ago verified publisher icon freedomofpress

Journalist 2FA setup should provide backup codes

Open huertanix opened this issue 6 years ago • 6 comments

Feature request

Journalist 2FA setup should provide backup codes.

Description

Currently, the 2FA workflow for journalists does not include the generation of 2FA backup codes, which are important for all the use cases which backup codes are useful for. Some verbiage should also be included to instruct the user to save their backup codes in their (Tails workstation KeePassX?) password manager.

User Stories

As a journalist, I would like to have backup 2FA codes available (and instructions on where to safely keep them) so that I can log into SecureDrop after I upgrade to my cool phone to the new cool phone x and link up the new device with my account.

huertanix avatar Sep 12 '17 20:09 huertanix

What about providing 3 backup code(s)? Or do we want more?

kushaldas avatar Nov 01 '17 13:11 kushaldas

Good idea, @huertanix! In practice I've seen knowledgeable users document the 2FA TOTP seed value, to help recovery situations if a phone gets lost. That's not good practice, though, and it'd be better to issue recovery codes.

@kushaldas Providing 3 backup codes is plenty—if a backup code is used, the first task should be to reset the 2FA. Documentation about how to safely store the backup codes will need to be clear. We've been training folks to stuff everything they need into KeePass within Tails, but that rubs against the grain of the purpose of 2FA a bit.

conorsch avatar Nov 01 '17 13:11 conorsch

Here are a few questions for the design:

  • The general suggestion is to have separate table to handle backup code logic. Is that okay to add?
  • Should the backup codes be one time usable?

kushaldas avatar Nov 01 '17 17:11 kushaldas

The general suggestion is to have separate table to handle backup code logic. Is that okay to add?

If we need to add a table (which it sounds like we would need unless there is something in pyotp to handle backup codes I am not aware of - I have not dug into that), it might be better waiting until #1419 is implemented as then we can do things like add tables.

Should the backup codes be one time usable?

Yep, backup codes should be one time usable.

redshiftzero avatar Nov 01 '17 17:11 redshiftzero

Backup codes are not part of TOTP spec, so we will have to implement of our own.

kushaldas avatar Nov 01 '17 17:11 kushaldas

Noting that schema changes are easier now, so we can add a new table for backup codes as necessary. Some small amount of UX + Security research tbd before proceeding. Would also need to consider how to handle it for SecureDrop Workstation users, expecially if 2FA resets are mandatory.

zenmonkeykstop avatar Aug 18 '22 14:08 zenmonkeykstop