Device whitelisting for 2FA login

[Kuro-Maii]

Is your feature request related to a problem? Please describe.

In case this wasn't already the goal or a standard feature, I'd like to preemptively request device whitelisting for the login progress. the idea: my home desktop will be the only device I'll be using for neos, and needing to swap back and forth between VR and desktop can be a hassle (in some cases even more as the VR gear and flatscreen can be in different rooms).

Relevant issues

No response

Describe the solution you'd like

after the first login with 2FA enabled one could go to a settings page where they can enable the current device as a trusted device. after confirming this action with a 2FA key login will only require a password from the current device. significant hardware and/or IP address changes could still force the need to re-verify the device as a trusted device.

Describe alternatives you've considered

not enabling 2FA at all. (which would be not desirable)

Additional context

No response

[Frooxius]

I'm not sure if this is something we'd add, as this would severely undermine the reason for 2FA and open a big security hole.

One of the possible attacks using 2FA is someone getting your password or authentication token on your computer. With 2FA that's not sufficient to perform certain actions on your account, as they would also need to gain access to another device (e.g. your phone).

However if your device is whitelisted, then its hardware fingerprint effectively becomes another password/token, that's in the exact same place as the other one. This reduces the "2FA" security back to "1FA", which pretty much loses the point of setting it up, since you now have a way to bypass it.

If you prefer the convenience at cost of increased risk, then I'd recommend just not setting up 2FA at all.

What might help is that we'll likely make different parts configurable - e.g. you could configure the system to always ask you for 2FA code for credit transactions, but only once every 1 hour or 1 day for other lower-risk actions. This should provide more fine grained control to manage the risk and balancing it against some convenience.

[Kuro-Maii]

the idea is more that if somehow my username/password get compromised the malicious person still needs acces to either my home PC or the device I use for the 2FA token. if my home PC gets compromised then, in the best case I need to reactivate it as a trusted device, or in the worst case I have probably lost more then just my neos account. if my 2FA device gets compromised then 2FA won't work anyway to protect any and all accounts setup with that device.

so this would imply that in the case of my username/password gets compromised that my account is still safe as long as my computer isn't compromised. this because the attacker will likely try to sign in from a different IP or hardware. resulting in the request for a 2FA code and potentially an email asking "hey, we found a login attempt from a different location. is this you? if not we advice changing your password."

thus my account is still safe and I can take action in re-securing my account with a new password without ever having lost access to my account.

(consider every me, I and similar self references as "the user" not specifically me, Kuro)

[Frooxius]

I understand the idea, but the problem is that it won't offer you the security you expect.

One of the ways of compromising your username/password is through your home PC. If that happens, they now have everything they need to mount an attack. If they get some malicious code to execute on your PC, they get the hardware ID as well as the same IP.

2FA blocks that, because that means they'd have to get control of two devices, instead of just one. But by requiring only a single PC to run certain actions, that gets undermined.

Problem is that we can't really tell if the attacker is from the same hardware or not. The hardware fingerprint can be spoofed. Everything is just data, so our server just gets "I'm Kuro-Maii's computer". Attacker can simply send a message that says "I'm KuroMaii's computer" and we are none the wiser.

The IP offers somewhat more protection, but this can be actually spoofed too in some cases and even if not, it doesn't necessarily uniquely identify you and doesn't prevent attacks that happen due to your main PC being compromised.

Think about it this way. 2FA is a method so compromising a single device isn't sufficient for an attack, it requires compromising two. By giving a single device a privileged position, you make it so only a single device is sufficient for an attack again. I'd be concerned that people would enable this option while still thinking they have 2FA protection - it's probably better to just disable it in the first place if you really want that.

I think the timed 2FA validations (where it stays valid for a few minutes, hours or maybe days for some actions) will be the better solution here, as they have an expiry date and thus limit the window of opportunity for an attack, rather than keeping it open indefinitely, while still providing reasonable convenience.

[Kuro-Maii]

I think the timed 2FA validations is the best compromise then

[peterthethinker]

Google/MS and many more has found the balance Might I suggest we follow them.

First off. they have Recovery options.

Remember single points of failure is bad engineering .

2nd. they allow up to FIVE FIDO2 keys to per account so users have Redundant physical keys. and they also offer TOTP This covers 99.9 users needs.

Heck most would use TOTP as the main 2FA and keep A FIDO2 Key as a In the Safe backup in-case of phone breakage ect

they All also allow for persistent log ins. why not Us?

https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

Focus on User Experience to Improve Password Security

Cybersecurity and user experience are often at odds with each other. But the NIST password guidelines are pretty clear: strong password security is rooted in a streamlined user experience.

Your users will always do what makes their lives easiest (and research shows they’ll do so even if they know that behavior compromises their password security). So if you create the kind of user experience that uses this tendency to encourage safe behavior, it helps you both keep their data secure.

Want to learn more about finding the magical balance between UX and security? Check out this blog post that lays out our philosophy.

A half baked 2FA is 0FA .

I can speak on Behalf of 3 of my Prev 3 jobsthat TOTP would never be allowed Rockwell Collins ( cant bring phones in a ITAR area. ) ESS Inc cant have phones on shop floor as Ferric Chlroide in the batts is what is used to ETCH Circuit boards and it eats phones ! 343i AAA game studio. again phones in some areas are not OK .

so IF you wanna sell Neos Pro Lic to large firms who are just handing out FIDO2 Keys as thats what Infosec mastermind MS has recommended . you are gonna loose potential clients..

Just stating some hard facts that are gonna upset some folks to hear .

[peterthethinker]

bump. there was buzz to the 2FA and its fallen flat.

Do we have any news on FIDO2 keys ?and an allowlist