2FA - missing "Trust this device" checkbox

[Green2Matter]

Preconditions (*)

1. Fresh install of Magento CE 2.4.3
2. Configure Google 2FA
3. Ubuntu 20.4, PHP 7.4, Percona MySQL 8

Steps to reproduce (*)

1. Start logging in to backend

Expected result (*)

1. As per https://docs.magento.com/user-guide/stores/security-two-factor-authentication-use.html it should be possible to add device to trusted devices:

   Actual result (*)

2. But what I can see is:

   ---

   Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [x] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @Green2Matter. Thank you for your report. To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

  :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[m2-assistant[bot]]

Hi @engcom-Lima. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Lima]

Hi @Green2Matter,

Thank you for reporting the issue.

However I am able to login with 2FA in Admin Panel as expected. You can try increasing the size of max_input_vars in php.ini file to 10000. That should fix your problem. If it doesn't help, you can raise similar issues on various Magento Forums. You'll probably get required help.

Since this does not seems to be Magento core issue, we'll soon have to close this issue. Otherwise if you still think this issue is related to Magento Dev and should be addressed, please update Issue Description with more related details.

[Green2Matter]

Hi @engcom-Lima

However I am able to login with 2FA in Admin Panel as expected. You can try increasing the size of max_input_vars in php.ini file to 10000. That should fix your problem. If it doesn't help, you can raise similar issues on various Magento Forums. You'll probably get required help.

Thanks for prompt reply. I'm able to log in as well but every time I do it, I need to provide 2FA code. I can't add device I use to trusted device as it is shown in Magento docs... And I have already max_input_vars set to 10000.

[engcom-Lima]

Hi @Green2Matter,

You have to Enable “trust this device” option from Admin Panel. Please check Docs here for doing it correctly.

If you are still facing same issue, can you please provide more detailed 'Steps to reproduce' for same so that I can try and reproduce on 2.4-develop ? Some screenshots would be helpful. And it would be great if you can update issue description accordingly.

[Green2Matter]

Hi @engcom-Lima

Simply I don't have such an option (trusted devices) to be enabled... See screenshot:

Would it be related to that I kind of "bypassed" initial configuration (don't have any sendmail configured) and I used following: bin/magento config:set twofactorauth/general/force_providers google bin/magento config:set twofactorauth/google/otp_window 60 bin/magento security:tfa:google:set-secret <admin_user> <Base32_Encode_secret>

BTW, docs link you quoted is for Magento 2.3. In 2.4: https://docs.magento.com/user-guide/stores/security-two-factor-authentication.html there's no trusted devices option...

[michaellehmkuhl]

It appears that the switch from MSP_TwoFactorAuth to Magento_TwoFactorAuth removed the "Trust this device" functionality. There is no config setting to allow for it, and no checkbox present in any of the 2FA templates in Magento 2.4.3-p1.

Also, module-two-factor-auth/Setup/Patch/Schema/CopyTablesFromOldModule.php seems to migrate the old msp_tfa_trusted table to tfa_trusted and then promptly drop both tables a few lines later.

Whether that trusted device functionality was intentionally or inadvertently removed, it seems to have gone missing at some point along the way, and our admin users are clamoring to get it back.

It looks like this functionality was all removed in MC-22950, according to this commit: https://github.com/magento/security-package/commit/1c48716b733b05950a660c28fabd9ca6c958aac8#diff-9d9785efa4487457e8190b3eae0a29e4b2b1acc4fd8bbfcff97b229f9164d2e1

[Green2Matter]

So, is "trusted device" functionality going to be restored? If not, I'll remove this module and/or install 3rd party module or simply grant access to admin folder by IP address...

[hostep]

@nathanjosiah: do you know the answer to this question? For me it's also one of the reasons to always throw out the built-in TFA module from Magento, that I need to repeat my two factors every single time I login to the backend of a shop and it's insanely annoying. Having the option back to allow to "trust this device" would be a good solution here.

[nathanjosiah]

This was intentionally removed and we currently have no plans to re-add it. In general security controls are annoying and affect performance/flexibility/etc in some way so it's usually a tradeoff. In our case we removed this feature.

And since we're on the topic I feel like I need to disclaim: We do not recommend to disable 2fa. Keep in mind that many merchants blindly follow advice like "just disable the 2fa module" so please do not spread advice that will make their stores insecure for the benefit of minor usability enhancements.

[Green2Matter]

@nathanjosiah whats/was the issue with "trusted devices" option...? It's good "convenience vs security" trade off. Banks also do apply similar policy and I can't see a reason why not to do it in online shop. I'm going to remove magento 2fa and install 3rd party extension providing "trusted devices" option...

[nathanjosiah]

We may be able to make an argument for restoring some version of this behavior but this isn't something we could fit into our planning internally at this point. Just so you have context, I don't have the exact number in front of me but something like 80% of compromised stores are due to compromised credentials. Basically this is the most serious security concern outside of not keeping stores updated which is why this has been so strict.

[hostep]

Security implementation is indeed always a compromise between usability and strict security, but if feel like Magento always prefers strict security over usability. Unfortunately this sometimes annoys their users so much that they are willing to workaround the security measures completely in order to have an efficient way of working with their shop software. I think Magento needs to gently introduce new security measures and not immediately the most strict implementation possible as it takes a while to get accustomed to new security measures. Gradually building up security measures helps to move people in the right direction and makes it that you can convince them about the next (more stricter) step. But if you implement it soo strictly to begin with, people just get annoyed and find workarounds unfortunately.

I know I shouldn't recommend disabling TFA, and I try not to. This is just a personal opinion of what we do in our agency. Because me and my colleagues have to login to Magento backends more than a hundred times per day for more then 50 different shops, and having that TFA module asking for the 2 factors every single time we need to login is just too annoying, I'm really sorry, but it is. We do use sane password management with password managers and random passwords with a length of at least 20 characters. And that's currently good enough. But if the TFA module would get an option to mark our current device as a trusted one, we would gladly enable it again.

[Green2Matter]

@hostep fully agree! @nathanjosiah if I may suggest: wouldn't have been better to restore 2fa "trust this device" option but with limit of max. days to trust, let's say 14 days...?

BTW, even if password is compromised and 3rd party would use it on different device, 2FA will kick in regardless the number of trusted days. It makes a difference only in case of physical access to already trusted device... Anyway, that's how 2fa is being used on any service I know.

[adamlavery]

Agree with @Green2Matter - should be a limited trust option, configurable by admin, of None, 3, 7, 14, 30 days. Forcing unnecessary security on users will never wash. You're almost guaranteeing that this will get turned off. Same with forcing a password change at short intervals - just results in weak, insecure passwords being used with an incrementing number tacked on. That's human nature.

Devices most work from are secure office PCs. The primary point of 2FA is to prevent remote criminerds from gaining access, which it will whether local devices are trusted or not. For those admins who want to force 2FA on every access, just don't enable trusted devices!

[hostep]

@smiverma: can you maybe discuss this with the security team? Thanks!

[ihor-sviziev]

@sidolov @sivaschenko @nathanjosiah, could you please look? In combination with executing PCI DSS requirements, that's such a terrible experience:

PCI Requirement 8.1. 8 states, “If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.”

It is a big issue especially for customer support - you have to write 2fa really-really often during the working day.

[m2-assistant[bot]]

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Delta]

Hi @Green2Matter, Thank you for reporting the issue, We are unable to reproduce the issue on Magento 2.4 develop branch.

Steps Followed: 1.Installed Magento 2.4.3-p1. 2.After Enabling 2FA with "sudo php bin/magento module:enable Magento_TwoFactorAuth" not able to login to admin panel.hence forth we are not able to configure 2FA through Stores-->Configuration-->Security 3.Followed below steps to reproduce

sudo php bin/magento config:set twofactorauth/general/force_providers google sudo php bin/magento config:set twofactorauth/google/otp_window 60 sudo php bin/magento security:tfa:google:set-secret admin Google_Your_secret_key

4.Still not able to reproduce the issue "Invalid security or Form key ,Please refresh the page.

Actual result: Getting error as "There was an internal error trying to verify your code"

Kindly review provided steps. Added the label "Needs Update".

[ihor-sviziev]

Hey @engcom-Delta, Have you read the title, description and comments? People are complaining about missing the "TRUST THIS DEVICE" checkbox, not the error message on the screenshot.

PS: from your screenshot, it feels like the feature is broken on the 2.4 develop branch. It shouldn't have any errors.

[nathanjosiah]

Im not sure what @engcom-Delta is looking at but the security team (my team) is aware of what this is about. We just got some clarification from the compliance teams about what we are even allowed to pursue with this request. I don't have any updates to share but we will be discussing this item soon.

[Green2Matter]

@ihor-sviziev @engcom-Delta Yes, the issue is about missing "Trust this device" checkbox. In regard to "Invalid security or Form key, Please refresh the page", solution will be provided in the next release: https://github.com/magento/magento2/issues/33749#issuecomment-908145941

@nathanjosiah please keep us updated 😁

[m2-assistant[bot]]

Hi @nathanjosiah. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
     Details

     If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.
• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
     Details

     - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
     - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
     - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[engcom-Delta]

Hi @ihor-sviziev , We have verified this issue on Magento 2.4 develop instance , issue is not resolved , still we could not find out "Trust this device " check box.

Reference ticket# https://github.com/magento/magento2/issues/33749.

Please find the attached video for reference.

https://www.loom.com/share/1650f815b4c5417eb5350335c1a79dbb

Please confirm if something is missing from my end

[ihor-sviziev]

Hey @engcom-Delta, The issue was actually about the missing feature that was there, so you confirmed it.

[engcom-Delta]

Hello @ihor-sviziev , Thanks for confirming . We have added the label 'feature request' . is that fine?

Regards,

[ihor-sviziev]

@engcom-Delta, I'm not sure if we can treat it as a feature request, as in past such feature was there, and now it was removed.

[adamlavery]

The key issue here is that any security system must be acceptable form an end-users point of view. Blindly demanding end users enter a 2FA code every time they access their site from their own trusted devices is pointless. They'll just turn off this annoyance and in the process make their site less secure.

Same as demanding passwords are changed every x days. That has always been pointless, which most sensible techs have now recognised. All that does is result in people using easy to remember, insecure passwords. Another case of purists winning out over common sense.

Consider: what is the point of 2FA? It is to prove you are who you say you are and not some chancer that has managed to get your access details or some hacker attempting to brute force their way in. Once you've logged in on your own device that is itself secured then why does the website need to check every single time? Pointless!

Hence trusted devices, which only need to be reauthenticated periodically, makes implementation of 2FA acceptable from an end-users perspective. Any security practice must be acceptable otherwise people will simply find a way around the restrictions and make it less secure. Security purists need to understand that.

Trusted devices that are periodically re-authenticated (on a schedule that can be configured in the panel to suit different opinions on best practice) must be restored. Otherwise 2FA is being turned off which make sites much less secure, completely defeating the aims.

[engcom-Delta]

Hi @ihor-sviziev @adamlavery , Thanks a lot for your inputs and confirmation.

@Green2Matter , We have verified this issue on Magento 2.4 develop instance , issue is still exist and reproducible that we could not find out "Trust this device " check box.

Hence confirming this issue.

Regards,

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6060 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Delta. Thank you for verifying the issue.
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[ihor-sviziev]

@engcom-Delta, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl.

[adamlavery]

@engcom-Delta, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl.

Agreed. My clients won't accept it as it is and as they are the boss it has been disabled.

[glo11468]

Ok Adam Lavery , Ihor Sviziev. Updated the priority accordingly.

Thanks, Penchalaiah

---

From: Adam Lavery @.> Sent: Friday, July 29, 2022 1:19 PM To: magento/magento2 @.> Cc: Penchalaiah K @.>; Comment @.> Subject: Re: [magento/magento2] 2FA - missing "Trust this device" checkbox (#34324)

EXTERNAL: Use caution when clicking on links or opening attachments.

@engcom-Deltahttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fengcom-Delta&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zIkwNyAAIfy13XGQAJInfw8qmIQWok7g3WyVgmidjzk%3D&reserved=0, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl.

Agreed. My clients won't accept it as it is and as they are the boss it has been disabled.

— Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmagento%2Fmagento2%2Fissues%2F34324%23issuecomment-1198983463&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gnAqgHS%2BQsVr0XcZL6rn35YR9NLA65437Y3e5j8tnTc%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVQ7L4TFJVH6U24BMVDCLMDVWOEIRANCNFSM5F2RQZMQ&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iXavN%2Fg507DzJo3aX7nJx%2BNGASp8XuWn9NZO9BuHyBA%3D&reserved=0. You are receiving this because you commented.Message ID: @.***>

[omueller]

Also spent some time with this issue (missing "Trust this device" option) with current (as per August 2023) Magento versions, it would really be good to get it back, it is really annoying, and the only "working" solution to reduce users complaintes (beside disabling MFA completely) is to increase the lifetime of admin sessions to several hours (on M2 and php level), which is also not really great security-wise.

thanks for your work & best regards.

[omueller]

PS: in the mean time, https://www.mageplaza.com/magento-2-two-factor-authentication/ may be useful too.

[hostep]

@nathanjosiah: are there plans to pick this up?

[nathanjosiah]

We have an internal story AC-6060 for this but unfortunately it isn't on our roadmap at the moment. We had several key changes which forced us to reprioritize certain workstreams to align with goals and requirements.

[engcom-Delta]

Hi @Green2Matter ,

Thanks for your reporting and collaboration. We have re-verified the issue in latest 2.4-develop instance and the issue is reproducible. Kindly refer the screenshots.

Steps to reproduce

1. Enable 2FA
2. Login in admin and observe "Trust this device" checkbox is missing

Thanks.