Allow users to set up 2FA/TOTP for RPs that pass acr_values=AAL2 #589
Comments
|
@shane-tomlinson to get more info from the AMO team about whether this is a blocker. |
|
@ryanfeeley What are your thoughts on
The setup any security thing flow during a login flow sounds similar to security tune-up during login. It seems like there might be some overlapping features that could be used for both. |
|
We have a meeting with AMO at all hands to help refine the next stages of this. |
|
ref #7069 |
|
It's been a while since we looked at this issue, so I just wanted to summarize the current state and next steps. A simple way to reproduce the underlying issue is as follows:
To proceed, the user has to open a new tab, go to their account settings, set up 2FA, then return to the original login flow and complete it. This flow would be significantly improved if, rather than getting an error message, we took the user to a page where they can set up 2FA inline in the signin flow. From @vbudhram's experience implementing the initial version, it sounded like this could be a fairly complex bit of state management. It also depends on some UX input for details, although starting from the existing 2FA setup screen seems like a fine approach. |
shane-tomlinson
changed the title
|
Could the user instead be redirected to account settings, with a message (modal or red bar) that says:
|
This sounds similar to what we do right now (although we don't direct them straight to the settings page, we provide a "more information" link that they can follow to get to the settings page). The desired experience here is to set up 2fa "inline" in the login flow, so that when the user is done they can easily continue with signing in to the requesting RP. It would be great to re-use the settings page for this, but it's not clear to me how we then direct the user back to their login flow. |
I would be fearful that the user would get totally lost within the settings page by clicking around on other things. |
Normal users yes, but not extension developers. |
I'm not buying this assertion, and am very weary of adding special case logic within the settings page to redirect back to AMO. |
|
➤ Jared Hirsch commented: The separate issue for extracting the 2FA setup flow into mixins was an artificial distinction: I had to put the flow together to understand how to extract the code. Converted FXA-308 to a subtask of this issue. Reducing points for this issue down to 3 to reflect work remaining. |
|
➤ Jared Hirsch commented: This issue is really old and doesn't make it clear what work's left for this epic. Closing in favor of https://jira.mozilla.com/browse/FXA-1750. |
Follow on from #6545.
If a user does not have TOTP enabled and the relier specifies acr_values=AAL2, the user is displayed a message that says
This request requires two step authentication enabled on your account.but does not provide an easy way for the user to do so.Over in mozilla/addons#732 (comment), @diox has requested that we make it possible for users to do so.
ref #6661
ref mozilla/fxa-auth-server#2708
┆Issue is synchronized with this Jira Task
┆Issue Number: FXA-735
The text was updated successfully, but these errors were encountered: