WordPress / wporg-two-factor

2FA for WordPress.org accounts
35 stars 7 forks source link

Post-login prompt to verify 2FA options are up to date #275

Open dd32 opened 2 months ago

dd32 commented 2 months ago

We should be prompting users upon login that their account details are still up-to-date, and that they have access to their 2FA options.

For example; I login with my Security key, I should be prompted to verify that I..

This would not be prompted every time, but perhaps once every other month.

It's easy to become complacent when using a device built-in security key (Mac TouchID, Windows Hello) to let these become outdated as the login process can be very frictionless.

The intention is that by reminding users of these, that we'd be enforcing that they need these things in order to be able to recover their account if they lose access to their main 2FA method.

dd32 commented 1 month ago

See discussion here:

https://github.com/WordPress/wporg-two-factor/issues/20#issuecomment-2257284712

I was thinking that the interstitial added via https://github.com/WordPress/wordpress.org/pull/351 could be extended to:

  • Prompt after a month that they have their Recovery codes
  • Prompt to verify the methods listed are still current (Ie. do you still have that security key after not using it for 3 months? - That Passkey might be on an old laptop for example)
  • Prompt after login when they have less than 5 backup codes remaining
  • Prompt regularly to verify their email address is current?

https://github.com/WordPress/wporg-two-factor/issues/20#issuecomment-2257618847

Part of the problem with potentially over-prompting is that they become irrelevant, and also, if we're doing something different to other services, the users will probably be annoyed by them!

Just thinking how many times i've been prompted to either check my settings or what methods are valid - it's probably close to zero times, unless being forced to change the method of auth.

https://github.com/WordPress/wporg-two-factor/issues/20#issuecomment-2257632770

Apparently GitHub does a 1-month after 2FA enable to verify the settings are expected, which is probably enough to prompt/remind you that "oh.. I think i threw that scrap of paper out.." or "I was going to add that extra key later and never did.."