freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!

https://securedrop.org/

Other

3.62k stars 687 forks source link

Journalist 2FA setup should provide backup codes #2287

Open huertanix opened 7 years ago

huertanix commented 7 years ago

Feature request

Journalist 2FA setup should provide backup codes.

Description

Currently, the 2FA workflow for journalists does not include the generation of 2FA backup codes, which are important for all the use cases which backup codes are useful for. Some verbiage should also be included to instruct the user to save their backup codes in their (Tails workstation KeePassX?) password manager.

User Stories

As a journalist, I would like to have backup 2FA codes available (and instructions on where to safely keep them) so that I can log into SecureDrop after I upgrade to my cool phone to the new cool phone x and link up the new device with my account.

kushaldas commented 7 years ago

What about providing 3 backup code(s)? Or do we want more?

conorsch commented 7 years ago

Good idea, @huertanix! In practice I've seen knowledgeable users document the 2FA TOTP seed value, to help recovery situations if a phone gets lost. That's not good practice, though, and it'd be better to issue recovery codes.

@kushaldas Providing 3 backup codes is plenty—if a backup code is used, the first task should be to reset the 2FA. Documentation about how to safely store the backup codes will need to be clear. We've been training folks to stuff everything they need into KeePass within Tails, but that rubs against the grain of the purpose of 2FA a bit.

kushaldas commented 7 years ago

Here are a few questions for the design:

The general suggestion is to have separate table to handle backup code logic. Is that okay to add?
Should the backup codes be one time usable?

redshiftzero commented 7 years ago

The general suggestion is to have separate table to handle backup code logic. Is that okay to add?

If we need to add a table (which it sounds like we would need unless there is something in pyotp to handle backup codes I am not aware of - I have not dug into that), it might be better waiting until #1419 is implemented as then we can do things like add tables.

Should the backup codes be one time usable?

Yep, backup codes should be one time usable.

kushaldas commented 7 years ago

Backup codes are not part of TOTP spec, so we will have to implement of our own.

zenmonkeykstop commented 2 years ago

Noting that schema changes are easier now, so we can add a new table for backup codes as necessary. Some small amount of UX + Security research tbd before proceeding. Would also need to consider how to handle it for SecureDrop Workstation users, expecially if 2FA resets are mandatory.