Email 2FA verification for admins logging into Fleet w/o SSO

[noahtalerman]

Goal

User story
As a security team who is checking out the IT team's new tool,
I want us to be able to use email verification for our “break glass” account in Fleet
so that I can feel confident that we're following security best practices.

Objective

Customer promises + renewal requests

Original request

• 5478

Context

• Product designer: @randy-fleet

Changes

Includes updates to creating and editing users, the invitation flow, and introduces a new (optional) magic link (2FA) experience.

Product

• [x] UI changes: Wireframes are in Figma here
• [x] REST API changes: Documentation PR
• [x] CLI (fleetctl) usage changes: Add a new flag to the fleetctl user create command: 2fa - Enable login two-factor authentication (default: false)
• [x] Changes to paid features or tiers: Fleet Premium only.
  • @noahtalerman: Accidentally committed directly to the 4.59 reference docs branch: https://github.com/fleetdm/fleet/commit/42b279fc53268c57a4ba0099c47734a286e6b66d
• [x] YAML changes: No changes
• [x] Activity changes: No changes
• [x] Permissions changes: No changes
• [x] Other reference documentation changes: No changes

Engineering

• [ ] Feature guide changes: Check if there is an existing guide to update
• [x] Database schema migrations: Probably no DB change.
• [ ] Load testing: Probably no need (BE engineer to consider)
• [ ] Frontend - implement as in Figma
• [ ] Backend - implement the API change as in the above PR
• [ ] Test-plan - To be created by the DRI engineer and approved by QA person

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @sharon-fdm! Who would be a good engineer for @randy-fleet to partner w/ while designing this one?

[sharon-fdm]

All our BE engineers can help, but @lucasmrod did several tasks in/around this area in the past.

[noahtalerman]

FYI @randy-fleet ^^

[randy-fleet]

@noahtalerman I added a note about reference doc changes needed, and noted where there are no changes needed for Activity and Permissions, but am unsure if there will be CLI/YAML/API changes. Can you help clarify there?

[noahtalerman]

@randy-fleet thanks!

There are no YAML changes but I think we do want to make CLI changes: add a new flag to the fleetctl user create command. Can you please help come up w/ a proposed name for this flag?

fleetctl is Fleet's CLI tool. I suggest following the guide here to download it so you can play around and see the existing options.

To see all options (flags) available for fleetctl user create you can run fleetctl user create -h (-h for help) in your Terminal. This is what the output should look like:

[noahtalerman]

• [ ] REST API changes: TODO: Update the existing user API endpoints
• [ ] Reference documentation changes: TODO: Need to add optional 2FA setting in Users API docs

@sharon-fdm this story is almost ready for specs.

To alleviate some design capacity and move quickly, I think we'll want the engineering team's help designing the API changes and updating the API docs.

To track this, I moved these checkboxes (above and in the issue description) to the engineering section.

Please let me know if you have questions/concerns.

[noahtalerman]

FYI @randy-fleet ^

[sharon-fdm]

@noahtalerman, no problem, we will try to allocate some cycles for this soon.

cc: @lucasmrod

[sharon-fdm]

@noahtalerman, @lucasmrod is assigned to help with the API design and will get to it after some P2 work.

[randy-fleet]

@noahtalerman I got fleetctl up and running and proposed the new flag on the ticket - thanks!

[noahtalerman]

Thanks @randy-fleet!

I think we want to be more explicit than 2fa. Also, not sure about 2FA. I've also seen "MFA" a lot when Googling / talking to folks. Maybe something like --email-verification? or --email-2fa? or --email-mfa?

Right now, as someone creating a user w/ fleetctl, I'm not sure what --2fa means exactly. What does this mean for the user I'm creating?

We could solve this by explaining that it's email in the description. But what if we add an option for 2FA via authenticator app later? I think we want to leave the door open for another explicit flag.

Also, note on an interesting design pattern for command line tools: command line tools often have a double dash -- before the flag (option) like --email-verification. Commands themselves don't have the -- like the user command in fleetctl create user.

[noahtalerman]

@rachaelshaw if you have time, and Lucas hasn't gotten to API design, I would pick this one up after you get through API design review.

[rachaelshaw]

@noahtalerman @lucasmrod API design PR here, added you both as reviewers. I kept "email" out of the new key name and just called it two_factor_authentication_enabled, so we have room to add other means of 2fa in the future by adding an additional key e.g. two_factor_authentication_type.

[rachaelshaw]

@randy-fleet @noahtalerman noticed one potential issue in the designs that I wasn't sure y'all had talked about: we're specifying that the email should be updated to say "Hello {First name}", but the form asks for a user's full name as one field. Inferring first/last names from full names can be tricky since you can't always rely on the location of spaces (e.g. "Mary Jane Van der Henst") so unless we already have code for handling that somewhere in the product, it may make sense to just do "Hello {Full name}".

[noahtalerman]

@rachaelshaw great catch! I think let's go w/ what's simple for now. Sounds like that's full name.

I updated the Figma here:

cc @randy-fleet

[lucasmrod]

API design PR https://github.com/fleetdm/fleet/pull/22526, added you both as reviewers. I kept "email" out of the new key name and just called it two_factor_authentication_enabled, so we have room to add other means of 2fa in the future by adding an additional key e.g. two_factor_authentication_type.

Looks good!

We still need the API changes for the /login endpoint, right?:

1. /login to not return token when 2FA is enabled for the user (or maybe return some flag that this is a 2FA user so that the UI can render the correct dialog).
2. /login to accept some random token generated by Fleet (that links to the session created in step 1).

[noahtalerman]

cc @rachaelshaw ^^

[sharon-fdm]

We will be able to estimate essuming @rachaelshaw will add the "token" field to the Login API as required by @lucasmrod. (Moving to Specified column)

[noahtalerman]

Hey @zayhanlon heads up, this user story didn't make it into the upcoming engineering sprint because we didn't get it estimated in time.

It's still prioritized. We left it on the drafting board so that it can be pulled into the next engineering sprint.

[rachaelshaw]

@noahtalerman @randy-fleet did we spec out what the user sees when the magic link is expired? Here's what we show for expired links in the default Sails app: https://github.com/fleetdm/fleet/blob/main/website/views/498.ejs Maybe we should add a similar kind of error page if we don't have one already? (Or are we planning to just redirect to the login page?)

[noahtalerman]

did we spec out what the user sees when the magic link is expired?

Hey @rachaelshaw great catch. I don't think we did.

I added a note to today's design review to discuss.

[randy-fleet]

@rachaelshaw Thanks for highlighting! Do you happen to have a screenshot, or something that would show me how this current experience looks?

[rachaelshaw]

@randy-fleet worked out the error page copy w/ Noah the other day and added to the design. (Modeled after this one.)

[noahtalerman]

We want this to be a Fleet Premium feature. I updated the pricing page in the reference docs PR here (accidentally committed directly to the PR).

@rachaelshaw can you please check to see if we need to update Figma and the reference docs PRs and make changes if needed?

Can you also please take on the CLI changes? I'm not sure what the pattern is for calling out premium only flags. Do we hide them? Or show some "premium only" message.

cc @sharon-fdm

[rachaelshaw]

@noahtalerman follow-up for API docs: https://github.com/fleetdm/fleet/commit/4a373b061440504ee20d1c84af045380807a8a55 (I also accidentally committed directly to the branch 🤪)

Also updated dev notes in Figma to clarify the new field is only for Fleet Premium.

[noahtalerman]

Hey @lukeheath I think let's give this user story that's tied to a customer promise a P2 so that we try to ship it next sprint.

[lukeheath]

@noahtalerman Agreed, thanks.

[iansltx]

Per design review just now (thx @noahtalerman @rachaelshaw) the Free vs. Premium gating here will be on the ability to enable local MFA on a user (whether on create or later), so we won't have a license check in the auth path.

Also revising the verification email validity period from "same as session timeout" to a distinct, hard-coded (as a constant, so if someone wants to patch their own value in it's a one-line change) value, with the built-in value set as 15 minutes to be in the ballpark of magic link TTLs for sensitive applications.

Also revising the user property in the API to mfa_enabled as the longer value is a little unwieldy (@rachaelshaw lmk if I'm speaking out of turn here).