Vulnerability From Other Admin Accounts

[richardkentgates]

If you view a user with two-step setup, you can uncheck the boxes, which doesn't actually leave them unchecked after saving, but it does remove the Primary mode, leaving it wide open without requiring two-step. So if someone gets in through an Admin with weak security, they can disable two-step for other users.

[kasparsd]

Thanks for reporting the issue @richardkentgates!

In #88 we're actually thinking of allowing admins to configuring 2FA for all users.

So if someone gets in through an Admin with weak security, they can disable two-step for other users.

I haven't verified this but can't admins reset all user passwords in core WP?

[ericmann]

This is not necessarily a vulnerability but is usually the way access can be restored if an admin loses the means with which they provided a second step of authentication.

Use AWS for example (they support app-based 2FA by way of tools like Google Authenticator). If you and I are both admins on an account, and you drop your phone in a mud puddle, you've lost access to your account entirely. The only way to restore access is to either call Amazon and work with a CSR to override your account and reset things, or ask me to disable 2FA for your account so you can log in and set up a new device.

I'm explicitly using the phrase "mud puddle" because this is the classic mud puddle test when it comes to application security. It's a common discussion security engineers have when determining the trade-offs of any specific approach.

In other words, this is somewhat by design and not a vulnerability of the system. Removing 2FA is an administrative-level operation open to anyone with administrative-level credentials.

[richardkentgates]

I can totally agree with this but there should be a selection to force users to setup Two-Step and by the hackish performance of doing this, it's obvious this is an oversight, not an intentional feature. However, I did use this to allow someone to regain access after they set it up with a faulty configuration which locked them out.

So if it is something that is desirable, I think it should still be worked on to secure any real vulnerabilities that may have been overlooked. I may have some time to contribute in the next 30-90 day, bearing in mind that I'm new to WordPress development and I'm unsure of the direction of coding practices and standards for WordPress with the upcoming 5.0 release.

At any rate, I think it's kick @ss that you guys are doing this work for the betterment of the platform. The world owes you much gratitude.

[crstauf]

Suggestion: when 2FA settings are changed, send the user an email to confirm (or at least notify). Perhaps only send the email if changed by someone other than the account holder.

[iandunn]

I agree that admins should be able to manage 2FA of other admins. Forcing all users (or specific roles) to enable 2FA is covered by #255 / #239. Notifying folks when settings change is covered by #476 / #484.

So it seems safe to close this issue. Let me know if I missed a reason why it should stay open though.