django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Additional authentication when disabling 2FA

Open mrowqa opened this issue 7 years ago • 10 comments

How about additional authentication when user tries to disable 2FA?

mrowqa avatar Feb 22 '18 13:02 mrowqa

What do you mean by additional authentication?

Bouke avatar Feb 22 '18 18:02 Bouke

The second step of login. Attack scenario:

  1. Bob knows your password - for example there was a leak from another webpage and you're lazy, so you have the same password believing in 2FA.
  2. You leave your computer for a moment and forget to lock the screen (phone call, restroom, etc)
  3. Bob disables quickly your 2FA.

mrowqa avatar Feb 22 '18 20:02 mrowqa

Good idea; it might be better to require 2FA confirmation before disabling 2FA. Something like "sudo mode" on Github.

Bouke avatar Apr 15 '18 12:04 Bouke

Allowing a user to disable 2FA when not verified means 2FA can always be bypassed.

schinckel avatar Oct 01 '20 04:10 schinckel

Can you explain how 2fa can always be bypassed?

Bouke avatar Oct 01 '20 16:10 Bouke

Ah, it's because I'm using a "verify only when required, not on login" workflow.

In that case, this view does not require verification, and so a user can disable 2FA after login - then if there are otp_required(if_verified=True) views, they can be accessed.

I think that requiring verification on this view would not have any negative side-effects on the regular workflow. In my case I needed to re-add this view (and the show-backup-tokens view) but in an otp_required form.

schinckel avatar Oct 01 '20 23:10 schinckel

@schinckel that's covered in #388 (thanks to your earlier comment that prompted me to go look at DisableView)

moggers87 avatar Oct 01 '20 23:10 moggers87

:+1: to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:

  • Disable 2FA
  • Change Password/Email
  • Delete account

CrimsonZen avatar Feb 18 '21 19:02 CrimsonZen

(This came through as a recommendation to us from a security researcher, as extra insulation in the event of a session hijack.)

CrimsonZen avatar Feb 18 '21 19:02 CrimsonZen

+1 to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like: - Disable 2FA - Change Password/Email - Delete account

I think that enabling 2FA should also be protected, though of course only via simple password authentication. As of now, in case of the "session hijack" one can easily lock a logged-in user.

A-dead-pixel avatar Mar 08 '23 16:03 A-dead-pixel