Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve 2FA / TOTP #403

Open
t2d opened this issue Oct 29, 2022 · 1 comment
Open

Improve 2FA / TOTP #403

t2d opened this issue Oct 29, 2022 · 1 comment
Labels
discussion

Comments

@t2d
Copy link
Contributor

t2d commented Oct 29, 2022

Thanks a lot for implementing two factor authentication in #388. I think, it's a fantastic first step to improve the security of userli and relying services. I enabled it on my account and it works like a charm.

However, I still challenge your decision to not use the existing recovery code. Here are my problems with this decision:

  1. I find having an additional codes confusing.
  2. I don't see a scenario where the already existing recovery code wouldn't suffice.
  3. If I use a TOTP backup code, it gives me no indication that I can't use the backup code again.
  4. Nothing stops me from using all six TOTP backup codes and thereby locking myself out of my account
  5. Even if I reset my account with the recovery code, it still asks me for my TOTP code on the first login.

In #388, yo wrote:

We decided against resetting 2FA configuration with the recovery process for now. Otherwise, we would compromise the security of two-factor authentication. Being able to reset both your password and your two-factor secret using the recovery token (regardless whether it's two options in the process or one) means that one factor (recovery token) is enough to reset both factors of your account. That's not a good idea IMHO.

However, ONE factor isn't always equal. The recovery code was thought to be your ultimate secret, stored in the most secure location you know. Where am I supposed to store my TOTP backup codes?
To my understanding, 2FA/TOTP is mainly used to safe from phishing, key loggers and shoulder surfing. To me, this is basically a problem that is non-existent with the recovery code as I only enter this code in very specific and rare circumstances. Also, it's only used once (actually twice in 48h) and then regenerated. Therefore, I don't think the argument of only one factor works.

Thanks again for driving this issue forward. I appreciate it a lot.
@doobry-systemli
Copy link
Contributor

doobry-systemli commented Nov 3, 2022
edited
Loading

Dear @t2d, thanks for your feedback 😊

I absolutely agree that the user experience got even worse with recovery code and TOTP backup codes. It's just too confusing for most users that there's two types of backup codes now. I'm open to consider replacing the TOTP backup codes with our recovery code altogether. And you bring good arguments why the argument of "one factor to possibly reset two factors" is a weak one.

I'd be interested in opinions by others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t2d @doobry-systemli