Implement two-factor authentication (2FA) on Apply

[nickaddy]

Background

2FA is now commonplace for all online accounts. JAC Digital would like to implement 2FA to add an extra layer of protection for sensitive personal candidate data held on Apply. In addition, we would like to implement a session timeout, so that candidates are automatically logged out after a pre-determined time period.

User Story

As a candidate, I would like 2FA to be implemented on Apply so that my sensitive personal data is more secure.

Benefit(s) to user (if not already clear from User story)

If a candidate's device is mislaid or stolen, they will be logged out of Apply and their data will remain confidential.

Feature(s) Description

• [ ] Add UK Mobile Phone number field to Candidate profile on Apply
• [ ] Add instructions: Please input your UK Mobile phone number in the format 0xxxxxxxxxx. This number will be verified and used for Two-factor authentication.
• [ ] First validate number to ensure format correct for UK mobile phone, i.e. 0+10 digits
• [ ] If correct, a 6-digit code is sent by SMS to that mobile number and a modal pops up asking candidates to input the code
• [ ] If the code is correct, the number is updated as verified, if incorrect, the candidate can repeat the process
• [ ] Once the number is verified, 2FA is activated
• [ ] 2FA is required every 7 days
• [ ] Implement a session timeout of 2 hours
• [ ] The phone number field in the Personal details section of the application form is no longer included; this is replaced by the UK Mobile phone number field, which is read only

Acceptance Criteria

It's done when:

• [ ] A new, mandatory mobile phone field is added to the Candidate profile section on Apply
• [ ] Each time the mobile phone field is updated, a mechanism is triggered to verify the number by SMS
• [ ] 2FA is activated the first time this field is populated
• [ ] 2FA must be performed at least every 7 days
• [ ] Candidates' login sessions time out after 2 hours
• [ ] The mobile phone field appears as a read only field under Personal details on the application form

Definition of Done

• [ ] User stories/acceptance criteria met
• [ ] Internal reviews passed (feedback actioned)
• [ ] User testing passed
• [ ] Relevant technical documentation updated
• [ ] User guidance updated
• [ ] Deployed and merged without errors

User Testing Steps

Specify for users what is being tested (but not how to test it.)

Feature Champion

Nick

[nickaddy]

Hey team! Please add your planning poker estimate with Zenhub @drieJAC @HalcyonJAC @tomlovesgithub @warrensearle

[drieJAC]

'2FA is required every 7 days' 'Implement a session timeout of 2 hours'

If a user gets logged out after 2 hrs then wont they need to login again with 2FA?

[nickaddy]

No, they just log back in normally, without 2FA. 2FA is only required once a week, i.e. if I'm asked this morning when I log in at 9am, I will next be asked - at the earliest - at 9am next Monday.