Refining 2FA login flow (remember browser/device trust upon logout) #34406
Labels
0. Needs triage
Pending check for reproducibility or if it fits our roadmap
enhancement
feature: authentication
How to use GitHub
I searched https://github.com/nextcloud/server issues for "is:issue is:open 2fa default" and did not find anything related, so…:
Situation
When logged out, a user always has to do a 2FA login if 2FA is active for his account.
Considerations
For many threat scenarios, it seems to be sufficient to remember the browser/device and only log out the user.
Related to #34403
Implications
The state "authenticated" is kind of split up in two components: "USER is authenticated" plus "BROWSER/DEVICE is trusted". At first sight, this does need UI changes in the server only.
Proposal
In the login screen, the user should be able to
a) log in using primary method – and opt-in to be remembered AS USER
b) be challenged with the second factor method – and be able to opt-in to be remembered AS BROWSER/DEVICE
When logged in, the user should be able to
a) log out AS USER without losing the trust for this browser/device
b) clear the trust for this BROWSER/DEVICE
Amazon does is that way, and I thing it's very appealing. They seem to have two tokens: One for the user login credentials (username/password) and one for the second factor (TOTP in that case). One may log out (e.g. to make sure no other family member uses it) without the need to re-enter the 2nd factor upon re-login.
Notes
This is a starting point for a (focussed) discussion. Please challenge or enhance the proposal by pointing out what needs to be taken into consideration.
The text was updated successfully, but these errors were encountered: