New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement to Two Factor Auth #123

Closed
namezk opened this Issue Apr 10, 2014 · 9 comments

Comments

2 participants
@namezk

namezk commented Apr 10, 2014

It would be really nice if you could include a checkbox to "save" the TFA auth, like Google, Facebook, Yahoo etc..
This way, if the user says "Trust this computer", they shouldn't be asked for TFA for the next 2 weeks, which is, in my opinion, a nice balance between security and convenience.

Thank you.

@RainLoop

This comment has been minimized.

Owner

RainLoop commented Apr 10, 2014

Ok

@RainLoop RainLoop added this to the 1.4.1 milestone Apr 10, 2014

@RainLoop RainLoop self-assigned this Apr 10, 2014

@RainLoop RainLoop closed this in fa8d7e5 Apr 16, 2014

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

Thanks for implementing this feature; however, it's not working for me as expected: once I check the "don't ask again", I don't get the OTP again, EVEN after logging out, flushing my cookies and restarting the browser.

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

Another bug introduced here, sometimes, I have to logout twice for it work.

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

Hi there, now I'm seeing the opposite effect :) checking "Don't ask" has no effect; if I check it and log out, I still get asked for the code next time.
Can you explain your understanding of how this should work?

@RainLoop RainLoop reopened this Apr 17, 2014

@RainLoop

This comment has been minimized.

Owner

RainLoop commented Apr 17, 2014

I can't understand when I need to clear the "don't ask" timeout?

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

You should not clear the timeout unless it has been two weeks.
I think Google and the others use a separate cookie when the user checks that box, and the next time the user tries to login, the application checks for that cookie, if present then no OTP.

@RainLoop

This comment has been minimized.

Owner

RainLoop commented Apr 17, 2014

I understand it, when i need to clear this cookie?

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

I'm not a programer, but here is what I think: If "don't ask" was checked, you shouldn't clear the OTP cookie when the user logs out. Next time the user tries to login, you check for presence of that cookie, if it's there, and if it's equal or less that two weeks old, don't ask for OTP, otherwise do.
What do you think?

@RainLoop RainLoop closed this in 524743e Apr 17, 2014

@namezk

This comment has been minimized.

namezk commented Apr 17, 2014

It works now! thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment