Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Portal] Authentication Settings re-organization #1715

Closed
fungc-io opened this issue Jan 4, 2022 · 7 comments
Closed

[Portal] Authentication Settings re-organization #1715

fungc-io opened this issue Jan 4, 2022 · 7 comments
Projects
2022_01_03-01_17

Comments

@fungc-io
Copy link
Member

fungc-io commented Jan 4, 2022
edited by carmenlau

When fixing the bug #1705 , we discovered that there were never a proper way to disable the use of MFA in our portal.
The current design do not allow adding such toggle in a logical manner. This presents a good opportunity for us to improve the IA of the whole "Authentication" section.

The new Navigation will be:

  • (...)
  • Authentication
    • Login ID (content remains unchanged)
    • Password: On/off password + Password Policy
    • Password policy
    • Passwordless: On/Off passwordless + Priority of password/passwordless
    • MFA: On/off MFA and configs
    • Verification: (content remains unchanged)
    • Biometric: (content remains unchanged)
    • Single Sign-On (content remains unchanged)
  • Anonymous Users
  • Biometric Authentication
  • Single Sign-On
  • Password Policy
  • Advanced > Password Reset Code
  • (...)

Page content

Password

Description: Let your users to authenticate themselves using passwords.

(toggle) Enable Password as authenticator?

(toggle) Force password change on next login if it does not meet the policy requirements

Basic Policies (Unchanged)

Advance Policies (Unchanged)

Password Reset Code

Reset code valid duration (seconds)
[number input]

Passwordless

Description: Let your users to login without passwords.

Authenticators

(toggle) Passwordless via SMS
(toggle) Passwordless via Email

Priority

(toggle) Use passwordless login first, if the users have password configured (default: on)

MFA

Description: Configure the secondary authenticators requirements

(toggle) Enable Secondary Authenticators?

Secondary Authenticators

(the list and order)

MFA Requirements

Require Multi-factor Auth (dropdown)
(toggle) Disable "Do not ask again on this device" for the Multi-factor Auth

Recovery Code

Number of Recovery Code (input)
(toggle) Allow user to retrieve or regenerate recovery code again

Notes

In the Password page and MFA page, the first toggle will grey out the settings below. I.e. turning the features off will not make the configs below disappear.
@fungc-io fungc-io added this to To do in 2022_01_03-01_17 via automation Jan 17, 2022
@carmenlau
Copy link
Contributor

@louischan-oursky When I am working on this, we will be facing the same empty slice problem in #1705. When the developer disables the toggle in the password page, there is a chance that we need to save empty slice to the primary authenticators list.

I tried to change the lists to the slice pointer, so that we could save empty slice. see carmenlau@f2d7835. Do you think it is feasible?

@carmenlau
Copy link
Contributor

Also for the new password page, there are some settings for primary authenticator only, but some are for both primary and secondary authenticators.

Primary authenticator only

  • the enable toggle
  • Password reset code

Primary and secondary authenticators

  • force password change toggle
  • Password policy

So we cannot grey out all the sections when the first toggle is off. Here are some options:

  1. Should we move password reset code section right below the enable toggle and only grey out this section. Add some text to explain the latter two settings are for both 1st and 2nd Authenticators
  2. Keep password policy + force password change toggle in separate page. New password page only has primary authenticator related settings.

Thoughts? @fungc-io @louischan-oursky

@louischan-oursky
Copy link
Collaborator

I tried to change the lists to the slice pointer, so that we could save empty slice. see carmenlau/authgear-server@f2d7835. Do you think it is feasible?

Should be ok. See https://go.dev/play/p/Vacj3ygZ7ga

So we cannot grey out all the sections when the first toggle is off. Here are some options:

What about we never grey out anything? The developer rarely needs to concern about whether the option applies to primary or applies to both. It is because in real world usage, password and secondary password should not be used together at all.

@chpapa
Copy link
Member

chpapa commented Jan 18, 2022
edited

Ideally these options (Force Password Change, Password Policies) should be separated for Password and MFA (Additional Password)

But since we want to postpone it and do it only when needed, what about we repeat both section in Password Tab and MFA tab, but add a description block under the title say "These settings applies to Additional Password too."

Not ideal, but seems a compromise... @carmenlau

@fungc-io
Copy link
Member Author

What about we never grey out anything?...It is because in real world usage, password and secondary password should not be used together at all.

I agree with that. Imagine a dev is using passwordless + secondary password, and they want to change the policy. The "Password" page seems the reasonable place to go to. When they see the policy settings, likely that they will understand the settings do apply to secondary passwords.

Let's change the layout of the page to the following:

Password

Description: Let your users to authenticate themselves using passwords.

(toggle) Use Password as primary authenticator

Password Reset Code

Reset code valid duration (seconds)
[number input]

Basic Password Policies (Unchanged)

Advanced Password Policies (Unchanged)

(toggle) Force password change on next login if it does not meet the policy requirements

  • changed the description of the first toggle to specify "primary"
  • Password Reset Code timeout is irrelevant if only using secondary pw. we can just keep it there.
  • Policy settings apply to both passwords. No needs to grey out no matter the state of the first toggle.

@fungc-io fungc-io mentioned this issue Jan 18, 2022
Open
@fungc-io
Copy link
Member Author

fungc-io commented Jan 18, 2022
edited by carmenlau

The decision after today's meeting:
To put "Password Policy" into a separate page

Password

Description: Let your users to authenticate themselves using passwords.

(toggle) Use Password as primary authenticator

Password Reset Code

Reset code valid duration (seconds)
[number input]

Change the password requirements in [Password Policy](/configuration/password-policy)

Password Policy

Description: Configure the password policy for Password and Additional Password in MFA.

(toggle) Force password change on next login if it does not meet the policy requirements

Basic Policies (Unchanged)

Advanced Policies (Unchanged)

* Added a link to Password Policy at the end of the Password page

@fungc-io fungc-io mentioned this issue Jan 19, 2022
Closed
@fungc-io
Copy link
Member Author

This issue is put on hold due to the discussion and decision mentioned in #1705 (comment)

@fungc-io fungc-io mentioned this issue Jan 19, 2022
Closed
@fungc-io fungc-io removed this from To do in 2022_01_18-2022_02_08 Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
2022_01_03-01_17
  
To do
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chpapa @carmenlau @louischan-oursky @fungc-io