nhost / hasura-backend-plus

🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.

https://nhost.github.io/hasura-backend-plus/

MIT License

1.17k stars 187 forks source link

Support SMS MFA #508

Closed joshmedeski closed 3 years ago

joshmedeski commented 3 years ago

User Story

As a user, I want to decide what two-factor authentication method I want to use so that I can increase the security of my account in the most convenient way possible.

Notes

Google offers multiple MFA methods at the same time (ex: Authentication app AND SMS are supported). This would take some significant architectural changes.
SMS could be done through a third party API and just the endpoint could be configured

I have potential clients that would want this feature, so I can personally commit to working on this if we can decide on the best approach to solving it.

elitan commented 3 years ago

Discussion on SMS support is also discussed here: https://github.com/nhost/hasura-backend-plus/issues/338

joshmedeski commented 3 years ago

@elitan I read through that issue. This is related to using SMS for two-factor authentication, not using a phone number for registration (different purposes).

elitan commented 3 years ago

Yep, different purposes. But the underlying SMS implementation should be shared across these issues. So I just wanted to link them.

cweagans commented 3 years ago

It seems strange to add support for a 2FA mechanism with known vulnerabilities with a track record of exploitation. I would suggest not moving forward with this (neither for HBP nor for @joshmedeski 's client that wants it) given how simple SIM swap attacks are these days. Most US mobile providers will do it with just a SSN, which are all effectively public after the Equifax breach. It would be way safer to text a link to a page that lets you use a previously configured FaceID, U2F token, or similar as a second factor -- that would at least guarantee that the SMS message is getting to the right device (since FaceID and TouchID signatures are locked to one specific device; + the U2F key built into some Android phones is also locked to one specific device)

joshmedeski commented 3 years ago

This is a fair point @cweagans. I have a client that wants to use this feature, even though these vulnerabilities are a reasonable concern.

Google offers this feature. It's easier than using an authenticator for non-tech-savvy users. SMS 2FA is better than no 2FA in my opinion :)

cweagans commented 3 years ago

Non-tech-savvy users put their passwords on sticky notes and tweet a picture of it, but that doesn't make it a good idea.

SMS 2FA is barely better than no 2FA these days. Like this:

If this goes in, I strongly support adding some documentation explicitly stating that this is security theater and really doesn't add any protection.

joshmedeski commented 3 years ago

Thanks for the feedback, let's see what @elitan says since he's the product owner.

elitan commented 3 years ago

We’ve decided to only fix bugs and refactors on Hasura Backend Plus from now on because we’re working on a new auth + storage service for Hasura. Currently, these new repositories are private but will be open-sourced soon. 

We’ll have your issue in mind when developing the new services. So thanks for filing this issue

 This means I’ll close this issue for now.