search

magento / security-package

Magento Security Extensions
Open Software License 3.0
73 stars 69 forks source link

Allow each admin user to choose which 2fa providers to setup #273

Open willjones9 opened 4 years ago

willjones9 commented 4 years ago

Preconditions

Steps to reproduce

Enable (and configure) the following 2FA providers:

Expected result

A user can choose between one of the three 2FA methods.

Actual result

Magento expects all three 2FA providers to be configured for every user account and it is not possible to pick and choose which provider is used on a per user basis.

Configuring multiple 2FA providers causes the system to see them all as forced providers, meaning that they have to be configured for each and every user in the system as opposed to allowing a user to choose between one of the enabled providers.

This is a problem, considering that merchants may wish to configure the second factor authentication method on a user or role basis. For example, store administrators may wish to use Duo, whereas employees dealing with order fulfillment (who perhaps don't need to access the admin area out of hours and not have mobile phones on them during their day) may need to use a U2F such as Yubikey or similar.

The current implementation does not allow for this use case, which seems like it should be a very obvious option that should be included.

ihor-sviziev commented 4 years ago

2FA module was moved to https://github.com/magento/security-package/. @sdzhepa @naydav could you move this issue into this repo?

sdzhepa commented 4 years ago

Thank you @ihor-sviziev cc: @willjones-stratagem
Transferred to security-package repo

m2-assistant[bot] commented 4 years ago

Hi @willjones-stratagem. Thank you for your report. To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

nathanjosiah commented 4 years ago

@willjones-stratagem Thank you for the report! This is by design. Once a user has configured all enabled providers they are able to choose which one they want to authenticate with.

nathanjosiah commented 4 years ago

To expand on my explanation, your users can configure the one they have access to at the time, then later when they have access to another they can configure the second one. You can skip configuration of a provider as long as you have at least one already configured. Once they have both configured they can simply choose which one they want to use at a given time.

tschirmer commented 1 year ago

This is still broken in 2.4.5-p1. And doesn't look intentional. If it is by design, the designers need try using it.

The workflow is like this:

It appears to me that 2 configuration values are intended, a "Use config providers" and a "Force config providers", but only one is present (or unintentionally being set to "force" instead of "use").

nathanjosiah commented 1 year ago

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

alucardatem commented 1 year ago

What about adding multiple yubikeys as backup keys ? as you know when getting a hardware based token, you would always need a backup key which you should register with the service that provides that @nathanjosiah

correct me if i am wrong however but there is the possibility to do so as in the encrypted stored json data

"u2fkey": { "registration": { "public_keys": [ { "key": "<PUBLIC KEY DATA>", "id": "<ID ???>", "aaguid": "<ANOTHER STRANGE VALUE>" }] }, "active": true }

Doesn't the above mean that we should be able to add in X yubikeys ? as an example ? and what about recovery codes to be used ?

looking into all of the services that provide 2FA -> configuration should be doable from Admin panel as well on user level to add in 2FA / change the 2FA / add in new security keys as extra methods and have a list of generated backup codes

that is basic in regards to 2FA.

nathanjosiah commented 1 year ago

@alucardatem yes, that is correct. The implementation was built with this forward-compatibility should it ever be implemented since it was a relatively common use case within u2f keys. However, u2f keys are not very common so there isn't a lot of push for this (or really any new 2fa features) and subsequently our product teams do not have anything on the roadmap at the moment for this feature. That said, something that may be of interest to you is that we do have something on the roadmap that would minimize the number of times you need to complete a 2fa challenge while using the same device. A sort of "remember me" feature.

alucardatem commented 1 year ago

@nathanjosiah - while the "remember me" feature is something nice to have, i think that users should have the possibility of changing the secret on the google auth ( re-implementing it or turning it off ) or having the option to use backup codes. but adding hardware tokens has become an essential security practice these days inside a lot of businesses and something like that inspires more trust to a merchant and a day to day operations user of the admin panel for a member of staff of client X from company Y, and would also take the load off a single administrator to issue "resets" every time someone "forgets" or loses the phone etc.

And to be honest, in this case at lease as i am seeing it combining the "remember me" for 2fa / login etc what it will be called ( similar to what last pass uses i would assume ) would be a really exciting feature and capability of magento which will put it ahead of competitors?

diwipl commented 1 year ago

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

We have multiple cases in our customer base where some admins would like to use only google auth, others would like to use only hardware keys, and some would like to have both.

Currently, such a flow has really bad UX because in case an account has only one provider configured, the admin is forced to receive the email to configure the second one, and only after clicking the link in the email admin is able to click "Skip until next login" to use already configured provider.

Could you explain why skipping is not possible directly after the login screen (having of course at least one provider configured) without a need to receive an email and clicking on the link there?

alucardatem commented 1 year ago

Why is this closed ? and how can we set this to skip from the start and not go through X emails and bad workflows over this ? as @diwipl mentioned we have also in our company users that have hardware keys and do not want a google 2FA / Authenticator app and people who want both and several individuals that use authy

now you can imagine that currently we have Google authenticator / authy / uf2 keys ==> that means that the person who uses the u2f key has to do skip on 2 emails before logging in.

diwipl commented 1 year ago

@alucardatem just for your information, since we cannot wait for Magento's official fix, we created a module that solves that issue: https://packagist.org/packages/creativestyle/magesuite-tfa-do-not-force-all-providers

alucardatem commented 1 year ago

@diwipl - done something similar ( internally ) :D without the skip.. it is just the show all providers in order to login directly via that one

however do like the skip second activation. thank you

fredden commented 1 year ago

@nathanjosiah please can you re-open this so that it can be resolved properly.

nathanjosiah commented 1 year ago

I'm going to look into this again. One of my teams may have availability to work on this.