-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add trusted devices for 2FA #559
Add trusted devices for 2FA #559
Conversation
See #265 (comment) as well. |
Local storage and server side sounds like a super strange combination to me?! 😄 |
Why? We can use a combination of both to identify trusted devices. |
How is the server supposed to validate data in the local storage? |
🤦♂ Was too early in the morning 😂 |
b2174a9
to
8728020
Compare
9cc1497
to
a780be2
Compare
a780be2
to
879e33c
Compare
1567d04
to
75cff33
Compare
A cookie can be set/modified client-side, but the same is for the User-Agent. Why is checking for both cookie and user-agent considered as more secure then? |
I would assume the cookie is sort of signed to prevent modification. As you can see in the screen shot, only the browser name is shown but not the version, so that should not be a problem? |
1080920
to
4b7cb34
Compare
4b7cb34
to
c081695
Compare
8a8f331
to
064f590
Compare
core-bundle/src/Security/TwoFactor/TrustedDevice/TrustedDeviceManager.php
Outdated
Show resolved
Hide resolved
core-bundle/src/Controller/FrontendModule/TwoFactorController.php
Outdated
Show resolved
Hide resolved
core-bundle/src/Resources/contao/templates/backend/be_two_factor.html5
Outdated
Show resolved
Hide resolved
core-bundle/src/Resources/contao/templates/modules/mod_two_factor.html5
Outdated
Show resolved
Hide resolved
Thanks a lot for your hard work @bytehead. |
This is a first draft of a trusted devices implementation for the Contao 2FA.
It uses the built-in stuff from the
scheb/two-factor-bundle
and I would consider this as a poor man implementation because it only sets a versioned cookie and does not care about user agent or the like.My advice would be to store a GUID in a cookie
or in local storageAND use the User-Agent header to identify and store the device server-side as a trusted device. As of this we can show a list of trusted devices to the user where he easily can remove the ones he wants (or even all).We should send an email when a new device is flagged as a trusted device. If the user didn't add it, or if he doesn't recognize the device information, he can clear his trusted devices immediately.
ToDo:
Decide if cookie or local storageSend an e-mail if a new trusted device is added2FA login screen:
![Bildschirmfoto 2019-09-02 um 15 59 21](https://user-images.githubusercontent.com/754921/64119791-f294b380-cd9a-11e9-9955-828ce71eea40.png)
2FA backend module:
![Bildschirmfoto 2019-09-02 um 16 00 39](https://user-images.githubusercontent.com/754921/64119824-02ac9300-cd9b-11e9-9938-9f9ff523a744.png)
2FA frontend module:
![Bildschirmfoto 2019-09-02 um 22 32 05](https://user-images.githubusercontent.com/754921/64132645-8aad8f80-cdd1-11e9-8499-a085adf17885.png)