Add trusted devices for 2FA #559
Conversation
|
See #265 (comment) as well. |
|
Local storage and server side sounds like a super strange combination to me?! 😄 |
|
Why? We can use a combination of both to identify trusted devices. |
|
How is the server supposed to validate data in the local storage? |
|
🤦♂ Was too early in the morning 😂 |
leofeyer
force-pushed
the
master
branch
2 times, most recently
from
b2174a9
to
8728020
Compare
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
2 times, most recently
from
9cc1497
to
a780be2
Compare
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
from
a780be2
to
879e33c
Compare
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
2 times, most recently
from
1567d04
to
75cff33
Compare
A cookie can be set/modified client-side, but the same is for the User-Agent. Why is checking for both cookie and user-agent considered as more secure then? |
|
I would assume the cookie is sort of signed to prevent modification. As you can see in the screen shot, only the browser name is shown but not the version, so that should not be a problem? |
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
2 times, most recently
from
1080920
to
4b7cb34
Compare
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
from
4b7cb34
to
c081695
Compare
bytehead
force-pushed
the
feature/2fa-trusted-devices
branch
2 times, most recently
from
8a8f331
to
064f590
Compare
core-bundle/src/Security/TwoFactor/TrustedDevice/TrustedDeviceManager.php
Outdated
Show resolved
Hide resolved
core-bundle/src/Controller/FrontendModule/TwoFactorController.php
Outdated
Show resolved
Hide resolved
core-bundle/src/Resources/contao/templates/backend/be_two_factor.html5
Outdated
Show resolved
Hide resolved
core-bundle/src/Resources/contao/templates/modules/mod_two_factor.html5
Outdated
Show resolved
Hide resolved
|
Thanks a lot for your hard work @bytehead. |
This is a first draft of a trusted devices implementation for the Contao 2FA.
It uses the built-in stuff from the
scheb/two-factor-bundleand I would consider this as a poor man implementation because it only sets a versioned cookie and does not care about user agent or the like.My advice would be to store a GUID in a cookie
or in local storageAND use the User-Agent header to identify and store the device server-side as a trusted device. As of this we can show a list of trusted devices to the user where he easily can remove the ones he wants (or even all).We should send an email when a new device is flagged as a trusted device. If the user didn't add it, or if he doesn't recognize the device information, he can clear his trusted devices immediately.
ToDo:
Decide if cookie or local storageSend an e-mail if a new trusted device is added2FA login screen:
2FA backend module:
2FA frontend module:
