scheb / two-factor-bundle

[ABANDONED] Two-factor authentication for Symfony 2 & 3 applications 🔐. Please use the newer versions from https://github.com/scheb/2fa.
https://github.com/scheb/2fa
MIT License
385 stars 111 forks source link

Add ability to use whitelist for trusted computers instead of complete bypass #279

Closed mike240se closed 4 years ago

mike240se commented 4 years ago

I was thinking that it would be useful to be able to use whitelisting of ips but instead of bypassing 2fa completely, the whitelisted ips would be permitted to set as a trusted computer.

This would be excellent for where you want people to be able to set a computer as trusted but want to prevent people from accidently doing that when they arent at a specific location. In my case I can then allow users to set their work PC as trusted but not be able to set their home pc accidently.

I haven't yet looked into the code to see if i can easily be done with what is already in place, i wanted to get your thoughts on it first.

Thanks

scheb commented 4 years ago

Hmm, that would be a new feature. A new configuration option under scheb_two_factor.trusted_device and then some permission control on whether you can set the trusted device cookie or not. Would be something for v5 I'd guess, since it brings some changes on interfaces.

Right now you'd have to option to implement your own TrustedDeviceManager, which would allow you to restrict setting the cookie to specific IPs. And in the form template you'd need to make sure the trusted devide checkbox is only shown for those trusted IPs. Wouldn't be pretty, but should work.

mike240se commented 4 years ago

Right now you'd have to option to implement your own TrustedDeviceManager, which would allow you to restrict setting the cookie to specific IPs. And in the form template you'd need to make sure the trusted devide checkbox is only shown for those trusted IPs. Wouldn't be pretty, but should work.

Thanks, i was thinking i could even just not show the checkbox unless they are on a list of Ips. That would work for my situation where I know my users personally and i know they dont have the skills to add that text box back in manually. For a public facing app though, probably modifying the trusted device manager would be required.

scheb commented 4 years ago

Classical "security by obscurity" approach, yea would work, but doesn't protect from misuse. If you're fine with that, sure, go for it. It's not going to be a bundle feature that soon.

scheb commented 4 years ago

Moved it to https://github.com/scheb/2fa/issues/6 since it's definitely not coming for bundle version 4 and future versions are located in that other repository.

Therefore closing this one here.