Backup codes can be downloaded within session

Firesphere / silverstripe-bootstrapmfa

Bootstrap your MultiFactor with backup codes and a ready-to-go second-factor authentication

BSD 3-Clause "New" or "Revised" License

3 stars 3 forks source link

Backup codes can be downloaded within session #14

Open brynwhyman opened 5 years ago

brynwhyman commented 5 years ago

Allow backup codes to be downloaded within the session that they have been created in.

AC:

[ ] Creates session-unique download link
[ ] Backup codes are not available outside of the session
[ ] Downloaded as .txt file

Notes: Two ways of doing this: a. Php method requiring steaming and custom session deletion logic b. js method is creating a .txt file, but there may be browser compatibility issues (esp for SS3 use cases)

Frontend notes:

A separate issue will be raised for how to display a downlink link in the CMS and the login modal
Allows for the scenario where a user requests a new set of backup codes in their CMS user profile

Designs: https://projects.invisionapp.com/share/3PNSKZQYBJZ#/screens/322766388

brynwhyman commented 5 years ago

Pointing the javascript method.

chillu commented 5 years ago

js method is creating a .txt file

I think this is overkill, just allow printing and copy/paste.

robbieaverill commented 5 years ago

I totally agree with @chillu, but I've triaged as originally scoped. I vote we should close this issue or change it to ensure it's clear to the user how they can print or copy their backup codes, but it's not my place to do so without PO approval 👍

robbieaverill commented 5 years ago

Allows for the scenario where a user could download backup codes after MFA is set up and codes are generated

I'm not sure this is a "standard" thing to do with MFA flows. Usually you only have one opportunity to get them; when they're first generated and shown to you

ScopeyNZ commented 5 years ago

I'll just remove that bit. When we were talking about this last week we were discussing how to avoid having them stored in session ever (for the download link) and everyone seemed on the same page...

robbieaverill commented 5 years ago

In terms of the display of the backup codes, it'll happen in two places: the CMS in a Member's CMS fields, and on the frontend once a user has enabled and configured a MFA method (only TOTP, or do backup codes apply to other methods like Yubikey as well?).

We can/should re-use the logic for generating the CMS fields for both places.

I guess the frontend version would be a new controller action which would be redirected to after successfully configuring MFA. In the CMS it'd be part of CMS fields.

ScopeyNZ commented 5 years ago

do backup codes apply to other methods like Yubikey as well

They do. All MFA methods extending this module will have backup codes provided. But I guess you don't get another set for a second MFA method? 🤔

Sounds good to me - we just want to avoid ever having backup codes in session.

newleeland commented 5 years ago

Allows for the scenario where a user could download backup codes after MFA is set up and codes are generated

I'm not sure this is a "standard" thing to do with MFA flows. Usually you only have one opportunity to get them; when they're first generated and shown to you

Being able to view backup codes after sign up is a pattern that is common for slack, facebook, google. But reset the recovery codes after sign up is probably more secure, This shouldn't be a huge design flow change.

robbieaverill commented 5 years ago

You're right, I'm sorry. Slack lets me view my unused backup codes whenever I want.