Add telemetry to capture MFA login durations

[bettymakes]

🤔 What problem are you solving?

Closes https://github.com/Shopify/ruby-dependency-security/issues/146

We hypothesize that WebAuthn improves the MFA user experience by enabling users to authenticate more quickly compared to TOTP. To verify this assumption, we'll capture login durations for Webauthn and TOTP to monitor and compare the difference.

🛠️ What approach did you choose and why?

1️⃣ Starting the timer for capturing duration
In order to capture the duration of the login flow for both WebAuthn or TOTP, we need a starting point. We store the starting time on the browser's session once the user has successfully logged in with their username and password.

This makes sense as the starting point because the user will then be shown the 2nd factor authentication view (either prompted for TOTP code or WebAuthn).

2️⃣ Calculate and capture duration
Upon successfully authenticating with TOTP or WebAuthn, we'll calculate the duration of time passed (in seconds) and record it.

👀 What should reviewers focus on?

I'm open to renaming the helper methods created in the tests (login_to_session and verify_challenge).

@jenshenny & I had also thought about other metrics we may want to track (e.g. tracking failed MFA attempts, potentially its duration to failure?). But we decided it was best to start with the metric we're most interested in first.

🧪 Acceptance testing

We can only test this the PR is shipped and we begin capturing data.

🐶 📈 After PR is merged
We'll need to create a dashboard in Datadog in order to review the metrics for login.mfa.webauthn.duration and login.mfa.otp.duration.

[codecov]

Codecov Report

Merging #3376 (5c0d66c) into master (9acb6dd) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #3376   +/-   ##
=======================================
  Coverage   98.58%   98.59%           
=======================================
  Files         113      113           
  Lines        3399     3408    +9     
=======================================
+ Hits         3351     3360    +9     
  Misses         48       48           

Impacted Files	Coverage Δ
app/controllers/sessions_controller.rb	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[jchestershopify]

One question but otherwise LGTM.

[simi]

Last commit is wip commit.... Is there any additional change planned? If not, any chance to squash commits?

[bettymakes]

Thanks for following up @simi 🙌 . I was gonna review whether I need to add any additional tests before I fix up the commit.

There's also one other metric we realized would be beneficial to capture (number of times WebAuthn is set up). I'll likely be working on this later today. Although, on second thought, it may make more sense to create a separate PR for adding that metric. Either way, I'll be making final amendments later today and will definitely squash the wip commit then 😊 👍 . Should be good for another round of reviews at that point.

[jenshenny]

LGTM! Just have a few nits regarding the tests but not blocking.

I think we should edit the current login integration test to check if statsd is incremented (mfa login, webauthn login <- this test is moved to webauthn_sign_in_test.rb or something similar if you rebase from current master).

[jchestershopify]

LGTM.

[simi]

🤔 Squash and merge or is it ok to merge as is now?

[bettymakes]

Yup! I think we're good to go. @simi, if you can help me merge, that'd be great 🙌 . But also, I can ping Jenny or Ashley to help with that tomorrow. We plan on checking it out on staging first to make sure it's rigged up correctly 😊.