search

twilio / authy-devise

Authy Devise plugin to add Two-Factor Authentication
MIT License
201 stars 84 forks source link

Installation Verification Bypassable #132

Closed dgiangrave closed 4 years ago

dgiangrave commented 4 years ago

Description

After a user has entered their phone number on the enable authy page, they are redirected to the installation verification screen. Devise considers a user at this point to be authorized and authy has accepted the entered number as a valid account, even though no verification was entered.

Example User Issue

A user enters their phone number with a typo during enrollment. While waiting for the SMS for the verification screen, they never receive an message. Thinking they entered incorrectly, they navigate back in the browser. authy-devise, recognizes the authy_id generated for the wrong number, and redirects the user to the home page after logging in. At the next log in attempt the user is prompted for the sms token, finding themselves locked out due to never verifying the wrong number.

Suggested Fix

It seems that there should be an extra field added to the user called authy_verified. Devise should consider a user with authy_enabled = true and authy_verified = false, to not be authenticated into the system. Rather it should redirect to the verify installation screen if the user has an authy_id but authy_verified is false. Additionally it should allow a user on the verify installation screen to change their entered phone number in the event it was incorrectly entered.

philnash commented 4 years ago

Thanks for opening this issue.

That does seem like a problem. I'll investigate this as soon I can.

philnash commented 4 years ago

Hi @dgiangrave, I've investigated this and I'm not sure we have a bug here.

If you follow your description and press back from the verification screen then authy-devise does not have a problem showing the phone number entry again. It is gated by having an authy_id and authy_enabled being true. It might appear that a user is enabled because there is a flash message saying so on the verification page.

It turns out that the enabled message was incorrectly placed (reported as #131) and will be removed as of #136. A user isn't using Authy until authy_enabled is set to true after a successful verification.

dgiangrave commented 4 years ago

Hi @philnash, thank you for looking into this for me, I believe your right, there is no bug.

In our project, we had attempted to use authy_enabled to enforce the user to enroll in 2FA, however based on your post, it is apparent that authy_enabled is used by the gem to gate the verification process. I made changes to do enforcement by manually routing to the enable page if authy_enabled is false. Thank you again for looking into this so quickly, I appreciate the help!

philnash commented 4 years ago

Great, glad we're in agreement and you have a solution for your app too. Cheers!