Open mrowqa opened 6 years ago
What do you mean by additional authentication?
The second step of login. Attack scenario:
Good idea; it might be better to require 2FA confirmation before disabling 2FA. Something like "sudo mode" on Github.
Allowing a user to disable 2FA when not verified means 2FA can always be bypassed.
Can you explain how 2fa can always be bypassed?
Ah, it's because I'm using a "verify only when required, not on login" workflow.
In that case, this view does not require verification, and so a user can disable 2FA after login - then if there are otp_required(if_verified=True)
views, they can be accessed.
I think that requiring verification on this view would not have any negative side-effects on the regular workflow. In my case I needed to re-add this view (and the show-backup-tokens view) but in an otp_required
form.
@schinckel that's covered in #388 (thanks to your earlier comment that prompted me to go look at DisableView
)
:+1: to this. Ideally I'd like to be able to apply a decorator - something like is_recently_verified
- to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:
(This came through as a recommendation to us from a security researcher, as extra insulation in the event of a session hijack.)
+1 to this. Ideally I'd like to be able to apply a decorator - something like
is_recently_verified
- to extra-extra-sensitive views that require immediate OTP re-verification. Would be good to have that system available for pages like:
- Disable 2FA
- Change Password/Email
- Delete account
I think that enabling 2FA should also be protected, though of course only via simple password authentication. As of now, in case of the "session hijack" one can easily lock a logged-in user.
How about additional authentication when user tries to disable 2FA?