Remember device

[PeopleInside]

Hi, will be nice to be able to trust for a custom editable day value trusted device so the two step code are not required always on trust device. Should exist an option to reset all safe device to be 0 again for "resume security".

I have seen this work in the plugin WordPress 2-step verification

Great plugin

[heyjoecampbell]

+1

[kasparsd]

Would this be cookie based where we simply not require the second factor if the "remember me" cookie is present?

[PeopleInside]

Hi @kasparsd I do not know... in the plugin i mentionated you have a function (once logged) to remove trusted devices. If this will be based only to a cookie should exist a way to maybe decide on the website to disable that cookie... i mean if there are a security issue should be a way to login into the system and remove the trusted device so the two step will be asked again on those devices.

[heyjoecampbell]

Would using cookies enable administrators the ability to view and deactivate trusted devices?

Also, how long would a device be trusted (30 days) and can the timeframe be configured by the administrator?

[alanef]

Is this being worked on by anyone?

[kasparsd]

@alanef I'm not aware of anyone working on this right now.

[kasparsd]

The default WP "Remember Me" feature should be working. Here is how we're forwarding the rememberme checkbox to the second factor check:

https://github.com/georgestephanis/two-factor/blob/ea5c3f005da08e7619e5d839d5bbd06e3f545bcf/class.two-factor-core.php#L372-L375

Or is this about a feature similar to Google's trusted devices?

[PeopleInside]

I want password on WordPress is requested and is skipped two factor on a secure device. Remeber username and password and keep the session always active is not the best secure way.

[claytoncollie]

Greetings @alanef @kasparsd @heyjoecampbell @PeopleInside

Are any of you working on this feature? I think remembering the device would be a nice addition over the standard WP rememberme. Seems to me like we want to save the device in the database and allow the user and/or admin to remove those devices similar to Google's trusted devices.

Is that the concensus?

[PeopleInside]

@claytoncollie I think is this, yes.

[alanef]

Yes I already have this in the security plugin I'm developing, using device fingerprinting to warn users of unknown devices. It records the 'trusted' device footprint in user meta.

I think this should be fairly to use a hook to hook into 2FA to not ask to the 2nd factor is the device is trusted.

[claytoncollie]

@alanef that sounds cool. Are you going to submit a PR with your code?

[alanef]

I don't think it would be architecturally correct to 'pollute' the 2FA code with 'fingerprinting' functionality ( otherwise it starts to become a broader security system ), that is why I was thinking of hooking in to 2FA. When I get round to looking in detail, at where to hook in ( or extend a class? ) I may then need to submit a PR to facilitate the linking.

[PeopleInside]

I moved to another plugin for two step. Now Wordfence integrate the two step and works great with the remembering of the secure IP for 30 days. It works perfectly :)

I still be happy to suggest to you a great feature ;)

[warengonzaga]

I love to see this feature soon.

[ttodua]

I think it is quite basic and essential functionality to have "remember me". I frankly don't understand, why that was called "broader/out-of-scope" for this. Oppositely, that is directly part of the 2-fa functionality, it is not "something else". If you say that it's not easy and dev's didn't have time for that, then I will understand, but if it is said that feature is unsecure/unrelated, then I can't understand, why you decide instead of user. You might have that feature disabled by default, but the idea of plugin (in general) is to simplify something and give flexibility to user. Most people, who use 2-FA, already know some basics of security, and it is not good to totally decide on behalf of them, if they want "remember me" or not. You can do that "by default", but still must leave option to enable it. (either IP & fingerprint or whatever, even if you want, add warning message on that option - but still permittable to enable). Otherwise, I don't see that as professional approach, ,and moreover, hearing that "I have to use custom codes & hooks" to achieve my desired functionality... Voila - I will go with another plugin that allows that feature and good-bye. what is best - having customer with that option, or making a customer to go away at all?

The worst mistake I see in WP, which causes advanced people to stay away from WP, is the phisosophy "we know what you want better then you". Yeah, that might plays well with 50-80% average joe, but surely deserves to be undervalued by professionals, because it not only "decides itself" and hides options away from choice (which is correct), but it also leaves no option to somewhere in the corner-hell find button for "options for advanced users", and urges me (by the reason as if it"takes care of me") to get into sFTP, open files and hardcode/insert some manual scripts & snippets.

Sorry for lengthy post, but this plugin is the only plugin I use with my WP sites permanently, so this was the only place where I decided to mention my thought.

[PeopleInside]

@ttodua you can try Wordfence that include two steps is the plugin I'm currently using.

[ttodua]

@PeopleInside well, that's the thing what I dislike. That makes an user to leave ( and make them still unhappy, because user moves eventually to that "alternate" while user doesn't like that alternative much, but have to go), while there could have been a rationale solution and everybody could have been happy.

[PeopleInside]

well, that's the thing what I dislike. You make user to leave

I want just help and as I'm not a developer, as in the web I see many software that after a while miss updates or simply decided to not include feature or require too much time, i find solutions to problems.

Anyone is free to stay or to leave, I don't have the power here to made user happy or not. Sorry, I opened this issue as member.. I was using this plugin solution but something moved me out.

I will unfollow this issue and the issue can be closed from developers if they will consider this resolved. I'm stopping following this topic now so I don't made anyone unhappy for my messages that is something I really don't want.

[ttodua]

@PeopleInside ah, no, I not personally addressed you, my mistake sorry,I thought I was talking with maintainter. I just wanted to address to the philosophy how typically devs concern to users, who submits feedback or critisizm to their products. This plugin was not your, neither i wanted to direct it to you... Moreover, thanks for advice, I might be using Wordfence in near future for that reason.

[PeopleInside]

@PeopleInside ah, no, I not personally addressed you, my mistake sorry,I thought I was talking with maintainter. I just wanted to address to the philosophy how typically devs concern to users, who submits feedback or critisizm to their products. This plugin was not you, neither i wanted to direct it to you...

OK thanks I see you edited your message. Great, I'm sorry for the frustration, I can understand.

[svenbolte]

Are there any plans to implement the feature (identify and use the client device as a 2nd factor)?

"Wordpress builtin remember function" only keeps you logged unless theres nothing changed on platform and plugins and themes are not updated.

a 2FA option to use the device as 2nd factor means after wordpress has logged out or you logged out yourself from admin area, you get the login mask again, but 2FA plugin detects that you are on a trusted device and logs you in without using the authenticator app or the OTP Email token for a while - lets say 2 weeks.

same thing like many sites like amex offer.

Short: define a list of trusted devices in Admin backend of 2FA plugin and use them as 2nd factor