Page MenuHomePhabricator
Create Task
Maniphest T217290

LoginNotify cannot notify for logins from unknown sources if 2FA is enabled
Open, Needs TriagePublic
Actions

Description

If a user has 2FA enabled, and someone finds out what their password is and tries to log into their account, they will be stopped at the 2FA step. This means a "successful" login happened from an unknown device, but thanks to 2FA the user was not let in completely.

If I understand the code of LoginNotify correctly, in a situation like this the victim account will *not* be notified because notifications depend on the AuthManagerLoginAuthenticateAudit hook, which is only triggered *after* the 2FA is done. If so, then we might want to use a different hook that would allow notification before 2FA check.

Event Timeline

Huji created this task.Feb 27 2019, 9:18 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptFeb 27 2019, 9:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr subscribed.Feb 28 2019, 2:03 AM

Also 2FA can be retried any number of times (there is throttling, but LoginNotify won't be able to see the separate attempts). I guess the simplest would be to have a SecondFactorAudit hook.

MusikAnimal removed a project: Community-Tech.Jul 27 2021, 11:54 PM
Reedy renamed this task from LoginNotify cannot notify for logins from unkonwn sources if 2FA is enabled to LoginNotify cannot notify for logins from unknown sources if 2FA is enabled.Jan 11 2023, 8:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL