Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA #196

Closed
vygandas opened this issue Jan 28, 2024 · 0 comments · Fixed by #213
Closed

2FA #196

vygandas opened this issue Jan 28, 2024 · 0 comments · Fixed by #213
Assignees
@PhamAnhHoang

Comments

@vygandas
Copy link
Contributor

vygandas commented Jan 28, 2024
edited
Loading

Here are some nice tutorials on how to get started:

Acceptance Criteria:

  • In Profile, there should be a link to Security (new page)
  • On the Security page, there would be a toggle to enable 2FA
  • If the user clicks on enable 2FA, a QR code appears with the message "Open your Authenticator app, for example, Google Authenticator, DUO, Microsoft Security app, and scan the QR code)
  • Usec scans the QR and gets a code, which can then be entered to confirm the connection
  • If the code is incorrect, there should be an error message saying "Code is incorrect."
  • When the user enters a valid code, 2fa gets enabled and user is presented with 8 codes for recovery; Message says "These are your recovery codes in case you will lose your Authenticator app. Print them and keep them safe".
  • Recovery codes are encrypted like passwords, but they are more simplified, just 8 alpha num symbols
  • When a user is prompted to enter the 2fa code, there's a link at the bottom of the form saying "I don't have access to my 2fa and need to reset with recovery code"
  • In case of 2fa recovery, the user gets prompted to enter a recovery code
  • If a recovery code is entered, the user gets logged out with a message saying "Check your email for further recovery steps"
  • On email, there's a link sent to disable 2fa; the link has a code generated (long one) which is saved to the user in db
  • when clicked and if link code matches, it opens a page with the message "Your 2fa was disabled, please log-in and enable 2fa again". That's how it gets turned off.
  • Recovering/turning it off means all recovery passwords get invalidated and deleted
  • Auth middleware now checks if 2FA is turned ON and if it's is ON, then it has to be also authenticated. If it's off, then normal flow

Note: we intentionally don't want to tell the person if the recovery code was correct or not so it wouldn't be bruteforceable

Note: we want to have the 2fa disable link sent to email in case hacked finds the password but still doesn't have access to users email
@PhamAnhHoang PhamAnhHoang linked a pull request Feb 7, 2024 that will close this issue
Feature 2fa #213
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PhamAnhHoang PhamAnhHoang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature 2fa cortip/isomera
2 participants
@vygandas @PhamAnhHoang