Page MenuHomePhabricator
Create Task
Maniphest T203256

OATH (2FA) needs an option to remember device but not keep user logged in
Open, Needs TriagePublic
Actions

Description

In the current implementation of two-factor authentication (OATH, 2FA), if a user has 2FA enabled, every time they log in they need to generate a token, regardless of whether the device is known to the server or not.

The only way to avoid needing a token every time is to keep the user logged in, which creates a perverse incentive that reduces security.

There should be an option to add a device as a trusted device but not keep the user logged in, so that a user can log out and log back in using password only. This would be useful for e.g. home and workspace computers, where other human beings may have physical access to the same device, but the combination of the device and the password can be deemed sufficient to authenticate a user.

Related Objects

Event Timeline

deryckchan created this task.Aug 31 2018, 2:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2018, 2:50 PM
deryckchan mentioned this in T208668: Do not ask for password on reauthentication when 2FA is enabled.Nov 18 2018, 5:31 PM
AfroThundr3007730 subscribed.Nov 26 2018, 12:46 AM
MR70 subscribed.Jan 7 2019, 9:36 AM
Seb35 subscribed.EditedApr 17 2023, 3:15 PM

There may be situations where the user connects in a semi-trusted device and don’t want to let some secondary authentication token, e.g. when s/he uses a public library computer or a colleague’s computer. For instance it happened to me recently during a editathon where I had to use a public library computer (the WiFi was too secure and not available to visitors). Of course, a private browsing is preferable in this situation, when available.

If such a feature is implemented with a secondary token saved during the login process, there should be a way to discard it:

  • either with a checkbox when entering the TOTP code (opt-in or opt-out to be decided),
  • either with a "hard logout" to clear all tokens during logout.

Another process would be a button in the preferences to voluntarily declare the current device as trusted.

deryckchan added a comment.Apr 18 2023, 1:42 PM

@Seb35 I agree. The implementation of "trusted" devices should include an
option to remove a trusted device. Thank you for listing out how the
feature can be implemented.

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Nov 20 2023, 9:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits