Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MFA Device Replacement Flow #3142

Open
kevinlinxc opened this issue Jul 12, 2022 · 5 comments
Open

MFA Device Replacement Flow #3142

kevinlinxc opened this issue Jul 12, 2022 · 5 comments

Comments

@kevinlinxc
Copy link
Contributor

kevinlinxc commented Jul 12, 2022
edited
Loading

Currently, if a user wants to change MFA devices, they have to disable MFA and add a new MFA device.

In the future, when MFA for a user cannot be disabled (for users with required mfa), disabling->enabling won't be an option, as there would necessarily be a state where the user has disabled MFA.

I've collaborated with some people to make a prototype to address this, and it boils down to:

  1. User clicks a button in settings to start
  2. They verify with their existing OTP, this sends them to a new MFA setup page that is on a 5 minute time limit
  3. They set up their new MFA device, recovery codes like normal

Demonstration:

https://user-images.githubusercontent.com/44324811/178588968-b34b02b0-d672-4dad-aa65-35e95e572a70.mp4
(The first and last part are showing that you can only access the replacement page with verification)

Prototype code is here: Shopify#22

Feedback is welcome, especially vis-à-vis the placement/look of the starting button as that seems a bit unnatural right now.
@kevinlinxc
Copy link
Contributor Author

@simi @sonalkr132 If you have time, could you have a look at this? It would be a "nice to have" if, when mfa is required, people could change their mfa device.

@simi
Copy link
Member

simi commented Jul 25, 2022

@kevinlinxc seems ok to me 💪. Feel free to open PR so we can do review in here.

@jenshenny jenshenny mentioned this issue Aug 2, 2022
Closed
7 tasks
@sonalkr132
Copy link
Member

there would necessarily be a state where the user has disabled MFA.

what happens if user loses their mfa device and recovery keys? As of now, we disable their mfa manually using disable_mfa script. I am guessing the script will continue to work. I am hoping mfa required users will be able to register new device if their mfa is disabled.

@simi
Copy link
Member

simi commented Jul 26, 2023
edited
Loading

@jenshenny is there still plan to contribute this feature? If I understand it well, this is still an issue as described for users not able to disable MFA, even today could be bypassed by using security device. It is still possible to disable TOTP today, but could be prevented in the future.

@jenshenny
Copy link
Member

It's still on my radar. With the introduction of security devices, the flow would probably need to be changed. If a MFA req user tries to disable their last MFA device, they should be prompted to setup a TOTP or security device. That being said, this is my mental model of how the MFA settings should look like (I can chip away at it).

  1. The MFA settings should be in their own page (like API keys) separate from edit settings
  2. When someone accesses MFA settings, they will be prompted to MFA (like entering pw for API keys) if they have it setup
  • we can then eliminate needing to MFA to update your MFA level and disable your TOTP
  1. If a user doesn't have any devices there will be a create a MFA device page where a user can set up webauthn or totp.
  • this page can be used in a "replace a device" flow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@simi @sonalkr132 @jenshenny @kevinlinxc