search

systemli / userli

Web application to (self-) manage email users and encrypt their mailboxes.
https://systemli.github.io/userli/
GNU Affero General Public License v3.0
65 stars 13 forks source link

Improve 2FA / TOTP #403

Open t2d opened 2 years ago

t2d commented 2 years ago

Thanks a lot for implementing two factor authentication in #388. I think, it's a fantastic first step to improve the security of userli and relying services. I enabled it on my account and it works like a charm.

However, I still challenge your decision to not use the existing recovery code. Here are my problems with this decision:

  1. I find having an additional codes confusing.
  2. I don't see a scenario where the already existing recovery code wouldn't suffice.
  3. If I use a TOTP backup code, it gives me no indication that I can't use the backup code again.
  4. Nothing stops me from using all six TOTP backup codes and thereby locking myself out of my account
  5. Even if I reset my account with the recovery code, it still asks me for my TOTP code on the first login.

In #388, yo wrote:

We decided against resetting 2FA configuration with the recovery process for now. Otherwise, we would compromise the security of two-factor authentication. Being able to reset both your password and your two-factor secret using the recovery token (regardless whether it's two options in the process or one) means that one factor (recovery token) is enough to reset both factors of your account. That's not a good idea IMHO.

However, ONE factor isn't always equal. The recovery code was thought to be your ultimate secret, stored in the most secure location you know. Where am I supposed to store my TOTP backup codes? To my understanding, 2FA/TOTP is mainly used to safe from phishing, key loggers and shoulder surfing. To me, this is basically a problem that is non-existent with the recovery code as I only enter this code in very specific and rare circumstances. Also, it's only used once (actually twice in 48h) and then regenerated. Therefore, I don't think the argument of only one factor works.

Thanks again for driving this issue forward. I appreciate it a lot.

doobry-systemli commented 2 years ago

Dear @t2d, thanks for your feedback :blush:

I absolutely agree that the user experience got even worse with recovery code and TOTP backup codes. It's just too confusing for most users that there's two types of backup codes now. I'm open to consider replacing the TOTP backup codes with our recovery code altogether. And you bring good arguments why the argument of "one factor to possibly reset two factors" is a weak one.

I'd be interested in opinions by others.