New 2FA layout isn't PCI-DSS Compliant

[edwchr30]

It definitely looks cleaner. Seeing the token input field when 2FA isn't enabled was a little irksome.

However, the PCI DSS security standard requires that you cannot identify which of the factors has failed when access is denied. Having them on sperate screens allows someone to pinpoint which of the authentication factors are valid.

I have zero to little experience creating anything in perl, but I'm looking into how to solve this.

[iliajie]

Hi,

In-fact this is not the theme issue.

However, the PCI DSS security standard requires that you cannot identify which of the factors has failed when access is denied.

I haven't checked on those standards closely but it's not clear how can you avoid identifying what was failed without negatively impacting UX. We already don't say what failed on the initial login/password stage, which makes sense because there is a pair of keys. However, 2FA is a single field and in order to get there (2FA) you need to get through first level of authentication (login and password).

I assume PCI DSS security standards need an update and consider the reality of 2FA.

I don't remember Google Authentication nor any other (on my memory) doing it in an old way, where you need to enter all 3 details (login, password, token) on one screen and see only one vague message sign-in failed. That would be a bad UX and added zero value to security.

[swelljoe]

No, you absolutely cannot tell the user which factor failed (user, password, or second factor). That's basic security best practice. If we're telling the user what was wrong, we are wrong. There is nothing to argue about here.

[swelljoe]

It does not have to all be on one page, but it cannot identify which factor failed.

[iliajie]

It does not have to all be on one page, but it cannot identify which factor failed.

If you managed to the second page (2FA) then apparently you have successfully gotten through the step 1 (login and password) and figuring out what failed on the second step with only one 2FA token field is not that hard?

[iliajie]

We do it the same way Google, GitHub and many others do it -

Like I said, in my opinion PCI DSS security standards need an update.