Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional authentication when disabling 2FA #253

Open
mrowqa opened this issue Feb 22, 2018 · 10 comments
Open

Additional authentication when disabling 2FA #253

mrowqa opened this issue Feb 22, 2018 · 10 comments
Labels
enhancement

Comments

@mrowqa
Copy link

mrowqa commented Feb 22, 2018

How about additional authentication when user tries to disable 2FA?
@Bouke
Copy link
Collaborator

Bouke commented Feb 22, 2018
edited
Loading

What do you mean by additional authentication?

@Bouke Bouke removed the enhancement label Feb 22, 2018
@mrowqa
Copy link
Author

mrowqa commented Feb 22, 2018
edited
Loading

The second step of login. Attack scenario:

  1. Bob knows your password - for example there was a leak from another webpage and you're lazy, so you have the same password believing in 2FA.
  2. You leave your computer for a moment and forget to lock the screen (phone call, restroom, etc)
  3. Bob disables quickly your 2FA.

@Bouke
Copy link
Collaborator

Bouke commented Apr 15, 2018

Good idea; it might be better to require 2FA confirmation before disabling 2FA. Something like "sudo mode" on Github.

@schinckel
Copy link

Allowing a user to disable 2FA when not verified means 2FA can always be bypassed.

@moggers87 moggers87 mentioned this issue Oct 1, 2020
Closed
@Bouke
Copy link
Collaborator

Bouke commented Oct 1, 2020

Can you explain how 2fa can always be bypassed?

@schinckel
Copy link

Ah, it's because I'm using a "verify only when required, not on login" workflow.

In that case, this view does not require verification, and so a user can disable 2FA after login - then if there are otp_required(if_verified=True) views, they can be accessed.

I think that requiring verification on this view would not have any negative side-effects on the regular workflow. In my case I needed to re-add this view (and the show-backup-tokens view) but in an otp_required form.

@moggers87
Copy link
Collaborator

@schinckel that's covered in #388 (thanks to your earlier comment that prompted me to go look at DisableView)

@CrimsonZen
Copy link

👍 to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:

  • Disable 2FA
  • Change Password/Email
  • Delete account

@CrimsonZen
Copy link

(This came through as a recommendation to us from a security researcher, as extra insulation in the event of a session hijack.)

@moggers87 moggers87 mentioned this issue Jul 7, 2022
Closed
@otargowski
Copy link

+1 to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:
- Disable 2FA
- Change Password/Email
- Delete account

I think that enabling 2FA should also be protected, though of course only via simple password authentication. As of now, in case of the "session hijack" one can easily lock a logged-in user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@schinckel @Bouke @moggers87 @CrimsonZen @mrowqa @otargowski