search

openwebwork / webwork2

Course management front end for WeBWorK
http://webwork.maa.org/wiki/Main_Page
Other
145 stars 165 forks source link

Re-generate the 2FA QR code #2376

Closed Alex-Jordan closed 6 months ago

Alex-Jordan commented 6 months ago

Suppose you go to a course for the first time and scan the QR code, setting up an entity in your authenticator app. You enter the course (without checking the skip box), then log out. Then, you remove that entity from your authenticator app for some reason. Maybe just clearing out old accounts. Or maybe you lose your phone and all its data and have a new phone. Now how do you get in to the course? Unless I'm missing something, I think maybe we need a mechanism to show the QR code again if it's really needed.

Alex-Jordan commented 6 months ago

This happened to me with a course I made once for a quick test previously. I had removed it from my authenticator app. Then I decided to go into that course for another test of something new, but I can't get in because of this reason. Deleting all cookies for this site did not help. So naturally I just tried deleting the course and then creating a new course with the same name. But I am still unable to get in (no new QR code presented), so it seems that when I deleted this course, not everything about it was cleared from the database, and that may be an additional issue.

drgrice1 commented 6 months ago

There is. If it is a student, then the user will need to contact the instructor. The instructor will then go to the "Accounts Manager" and reset two factor authentication for that user from the new form on that page that does this (the form that form some reason is not showing up now so I will check on that). If it is an instructor or admin user, then the instructor will need to contact the system administrator. The system administrator will use the wwsh script to run the bin/reset2fa script for that user.

This was all stated in https://github.com/openwebwork/webwork2/pull/2335#issue-2151392995.

drgrice1 commented 6 months ago

If you deleted the course, then the OTP code would be deleted from the database with the user. So that would reset two factor authentication. There is no way that it could possible persist in the database as it is in the new column in the password table, and so deleted with that table.

I see that there is nothing wrong with the form on the user list. I just have two factor authentication disabled for my local test course, and it only shows up if two factor authentication is enabled.

Alex-Jordan commented 6 months ago

OK, so what happened is that my user from the admin course gets copied to the new course. That prevents me from seeing a QR code for the new course. So I can enter the new course if I use the entry in the authenticator app for the admin course.

drgrice1 commented 6 months ago

Yes, that would be the case. I see that as a feature for admin users that are copied into a course. Then they don't have to set up two factor authentication for each course.

drgrice1 commented 6 months ago

We will need to document this. Perhaps we could add a comment in the admin course UI about this.

Alex-Jordan commented 6 months ago

There's a related thing that I think @somiaj realized and mentioned. If I take instructor A's Fall course, I can copy it to instructo A's Spring course, including their user. This is relatively new. So their user will copy over with the OTP code. In their authenticator app, the entry will be named using the Fall course name. I don't know what to do about this except try to remain aware of it.

Alex-Jordan commented 6 months ago

And a similar issue when unarchiving a course and giving it a new name.

drgrice1 commented 6 months ago

Yeah, the password and OTP secret will be restored with the archive. So the administrator will probably need to reset two factor authentication in those cases.

drgrice1 commented 6 months ago

These things will certainly need to be documented.