Provide a secure service by accurately identifying users. Includes guidance on:
The text was updated successfully, but these errors were encountered:
Few short observations about doing two factor authentication (I was writing this down for someone anyway so thought I might as well put it here).
By text message
Front-load the code in the text message
Call it a ‘security code’
This is friendlier than ‘2FA’ or ‘two factor’. I think Verify use this wording this as well.
Question how long the code needs to be
6 digits seems to be standard for authenticator apps. 4 or 5 feels way easier to transpose from one place to another. Anecdotally people with dyslexia find long codes troublesome.
If using email for quasi-two-factor authentication make it a tokenised link, not a code that people have to copy/paste.
@quis we followed your guidance for authentication by email. We send the user a token link that expires in 24 hours. If they click on the link, they get access to our form and then we destroy the token. However, some users are having problems. Our users work in organisation. These organisations have security policies or infrastructure that we don't have control over. When the users click on the link, the website says something along the lines of "this link has been already used or it's invalid please make a new request".
If the user copy and paste the link instead of clicking it then it actually works
We are considering the following options:
We'd be interested in your advice or anyone else's
@sulthan-ahmed we have seen the same problem occasionally, but haven’t got round to fixing it yet. There’s a story in our backlog here: https://www.pivotaltracker.com/story/show/158630655
If it’s one particular organisation you’re dealing with maybe you can get their IT team to turn this behaviour off?
Super stuff @quis thanks for the rapid response. Ahh useful to know the background
Also we never thought of the solutions you suggested. That's very helpful. Question what do you mean by the last two bullets
The user has to click a button on the page they get from the email link
This would change the flow from:
On GOV.UK Notify we recently came across this problem and came up with a solution so thought I'd share.
For people that sign in with username and password and use text message 2fa (often with a personal phone number), there’s no way for us to know if they still have access to their inbox. This means people can leave an organisation, have their email account closed, but if the team doesn’t remove them from the Notify account, they’ll still have access forever. That’s not good.
So we should periodically send people that use text message 2fa an email, so that we can confirm the email account is still valid and they have access. It’s not foolproof, but it’s a good backup measure.
When someone is logging in and they:
are on text message 2fa AND
‘validated’ includes password changed at (which is also updated when you first create your account) and these re-validations - so we’ll need to store a date of last validation against a user and bump it each time either of these events happens.
Then we show them an explanatory screen and send them a re-validation email after they enter the text message 2fa code.
Until they click the token in the email, they can’t do anything. They could log on again to trigger another re-validation email (not locked out or anything).
Posting this on behalf of a user:
It would be good to know if other teams have been advised to do this by their security or IT teams.
It's a common issue that gets brought up. It does seem to go against this guidance: https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
And I'm pretty sure most password managers in browsers or addons just ignore it anyway.
From Firefox's docs
I can see that discussion from hmrc/design-patterns#117 was moved here, but I don't see any progress.
I am stucked getting the
How long should a 2fa code be valid for before it expires. Here I am thinking about the case of a user requesting a code on a web page and then receiving that code on their mobile (which may be a separate device) and then needing to enter that code into the web page and click submit before their code has been considered expired.
2fa SMS codes are currently valid for 30 minutes on GOV.UK Notify.
We sometimes get people advocating for shorter time, as low as say 60 seconds, likely for the reasons of 'security'.
I believe the accessibility regulations would require us to take an estimate of how long a user without accessibility needs may need to do the task and then times that number by 10 to give extra time to those with accessibility needs.
At a finger in the air estimate, a user without accessibility needs after receiving the code may need as much as 30-60 seconds to locate the code, enter the code and click submit, meaning that we would likely suggest a minimum of 5-10 minutes. This doesn't take into account any time spent between the code being generated and it arriving on the users phone which will often be within a minute but could sometimes be longer.
The situation should also be considered if the code is sent via a different channel such as email (my hypothesis is that you need slightly longer to navigate and log in to your email account then you would to get to your text messages).
The minimum amount of time a code should be valid for may differ dependant on the service but if any guidance/pattersn are produced on this, I would like to see a minimum and/or suggested time validity :)