Two-Factor Authentication with OAuth

[u12206050]

Preflight Checklist

• I have completed all Troubleshooting Steps.
• I'm on the latest version of Directus.
• There's no other issue that already describes my problem.

Describe the Bug

When using OAuth to login, users are not able to enable 2FA due to the password prompt.

This stops users that have logged in with Auth0 without setting a password to setup 2FA

To Reproduce

Login using OAuth and try enabling 2FA

Errors Shown

No response

What version of Directus are you using?

9.8.0

What version of Node.js are you using?

16.4.0

What database are you using?

mysql 8

What browser are you using?

Chrome

What operating system are you using?

osx

How are you deploying Directus?

Locally & GCP

[rijkvanzanten]

This is a very interesting problem 🤔 If you don't have a password, you can't confirm the password to enable 2FA. However, we wouldn't want people to allow enabling 2FA without making sure that they're really the current user. I'm wondering if there's some sort of way to "re-login" through the auth provider to confirm, or whether it would be enough to just skip the password check when the stored password = null (@aidenfoxx thoughts?)

[aidenfoxx]

@rijkvanzanten So we did discuss this issue around the time I was implementing modular auth, and there were a few issues that needed to be addressed at the time. Those were "How does one enable 2FA as an OAuth user?" and "How does one enter their 2FA code during SSO?".

As a workaround for the first issue we left the ability for an OAuth user to set a regular Directus password against their account, and then they can use that to enable 2FA.

The second issue you were planning to solve with a dedicated 2FA page when logging in. I believe that's implemented now, but I don't know if it works with the SSO flows?

I think one solution would be when an SSO user tries to enable 2FA we say "You will be prompted to enable 2FA next time you log in" and then push them through the "require 2FA" flow that you can apply to user roles?

[rijkvanzanten]

I think one solution would be when an SSO user tries to enable 2FA we say "You will be prompted to enable 2FA next time you log in" and then push them through the "require 2FA" flow that you can apply to user roles?

That's a great idea! Single solution that works for every means of authenticating / registering

[aidenfoxx]

I would say it's technically worse UX, but it feels more flexible and probably more maintainable if you apply it globally (as compared to having different 2FA flows for different drivers).

[u12206050]

I like it though, since it would work similar for both users with and without oauth.

One other thing about 2FA though, would it be possible to have an inactive timeout setting (think auto app lock), whereby you an overlay locks the app and you would need to reenter the 2FA code to continue.

Currently the only expiry logs you out completely, which you only realise once the dashboard fails to load.

[rijkvanzanten]

Linear: ENG-260