search

jazzband / django-two-factor-auth

Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.
MIT License
1.67k stars 443 forks source link

Additional authentication when disabling 2FA #253

Open mrowqa opened 6 years ago

mrowqa commented 6 years ago

How about additional authentication when user tries to disable 2FA?

Bouke commented 6 years ago

What do you mean by additional authentication?

mrowqa commented 6 years ago

The second step of login. Attack scenario:

  1. Bob knows your password - for example there was a leak from another webpage and you're lazy, so you have the same password believing in 2FA.
  2. You leave your computer for a moment and forget to lock the screen (phone call, restroom, etc)
  3. Bob disables quickly your 2FA.
Bouke commented 6 years ago

Good idea; it might be better to require 2FA confirmation before disabling 2FA. Something like "sudo mode" on Github.

schinckel commented 3 years ago

Allowing a user to disable 2FA when not verified means 2FA can always be bypassed.

Bouke commented 3 years ago

Can you explain how 2fa can always be bypassed?

schinckel commented 3 years ago

Ah, it's because I'm using a "verify only when required, not on login" workflow.

In that case, this view does not require verification, and so a user can disable 2FA after login - then if there are otp_required(if_verified=True) views, they can be accessed.

I think that requiring verification on this view would not have any negative side-effects on the regular workflow. In my case I needed to re-add this view (and the show-backup-tokens view) but in an otp_required form.

moggers87 commented 3 years ago

@schinckel that's covered in #388 (thanks to your earlier comment that prompted me to go look at DisableView)

CrimsonZen commented 3 years ago

:+1: to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:

CrimsonZen commented 3 years ago

(This came through as a recommendation to us from a security researcher, as extra insulation in the event of a session hijack.)

A-dead-pixel commented 1 year ago

+1 to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified - to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:

  • Disable 2FA
  • Change Password/Email
  • Delete account

I think that enabling 2FA should also be protected, though of course only via simple password authentication. As of now, in case of the "session hijack" one can easily lock a logged-in user.