Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-login prompt to verify 2FA options are up to date #275

Open
dd32 opened this issue Jul 4, 2024 · 1 comment
Open

Post-login prompt to verify 2FA options are up to date #275

dd32 opened this issue Jul 4, 2024 · 1 comment

Comments

@dd32
Copy link
Member

dd32 commented Jul 4, 2024

We should be prompting users upon login that their account details are still up-to-date, and that they have access to their 2FA options.

For example; I login with my Security key, I should be prompted to verify that I..

  • have the same email address
  • still have my TOTP app setup (hint: I don't, intentionally)
  • that my backup security key is still valid
  • still have access to my recovery codes

This would not be prompted every time, but perhaps once every other month.

It's easy to become complacent when using a device built-in security key (Mac TouchID, Windows Hello) to let these become outdated as the login process can be very frictionless.

The intention is that by reminding users of these, that we'd be enforcing that they need these things in order to be able to recover their account if they lose access to their main 2FA method.
@dd32
Copy link
Member Author

dd32 commented Jul 31, 2024

See discussion here:

#20 (comment)

I was thinking that the interstitial added via WordPress/wordpress.org#351 could be extended to:

  • Prompt after a month that they have their Recovery codes
  • Prompt to verify the methods listed are still current (Ie. do you still have that security key after not using it for 3 months? - That Passkey might be on an old laptop for example)
  • Prompt after login when they have less than 5 backup codes remaining
  • Prompt regularly to verify their email address is current?

#20 (comment)

Part of the problem with potentially over-prompting is that they become irrelevant, and also, if we're doing something different to other services, the users will probably be annoyed by them!

Just thinking how many times i've been prompted to either check my settings or what methods are valid - it's probably close to zero times, unless being forced to change the method of auth.

#20 (comment)

Apparently GitHub does a 1-month after 2FA enable to verify the settings are expected, which is probably enough to prompt/remind you that "oh.. I think i threw that scrap of paper out.." or "I was going to add that extra key later and never did.."

bazza pushed a commit to WordPress/wordpress.org that referenced this issue Aug 20, 2024
@dd32
Login: 2FA: Add a post-login nag to setup backup codes when either no…
9c08d89 
…ne are saved or the user is running really low on them.

This will hopefully reduce the number of users who become locked out of their account after losing their authentication key / device / etc.

Merges #358
Fixes WordPress/wporg-two-factor#279
See WordPress/wporg-two-factor#300, WordPress/wporg-two-factor#275


git-svn-id: https://meta.svn.wordpress.org/sites/trunk@13982 74240141-8908-4e6f-9713-ba540dce6ec7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dd32