Refining 2FA login flow (remember browser/device trust upon logout)

[nursoda]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

I searched https://github.com/nextcloud/server issues for "is:issue is:open 2fa default" and did not find anything related, so…:

Situation

When logged out, a user always has to do a 2FA login if 2FA is active for his account.

Considerations

For many threat scenarios, it seems to be sufficient to remember the browser/device and only log out the user.

Related to #34403

Implications

The state "authenticated" is kind of split up in two components: "USER is authenticated" plus "BROWSER/DEVICE is trusted". At first sight, this does need UI changes in the server only.

Proposal

In the login screen, the user should be able to

a) log in using primary method – and opt-in to be remembered AS USER
b) be challenged with the second factor method – and be able to opt-in to be remembered AS BROWSER/DEVICE

When logged in, the user should be able to

a) log out AS USER without losing the trust for this browser/device
b) clear the trust for this BROWSER/DEVICE

Amazon does is that way, and I thing it's very appealing. They seem to have two tokens: One for the user login credentials (username/password) and one for the second factor (TOTP in that case). One may log out (e.g. to make sure no other family member uses it) without the need to re-enter the 2nd factor upon re-login.

Notes

This is a starting point for a (focussed) discussion. Please challenge or enhance the proposal by pointing out what needs to be taken into consideration.