Clearing logged in state when 2nd factor auth is aborted

[janko]

I've been thinking about janko/rodauth-rails#214, and how it could be valuable if Rodauth could support this directly. I think most applications will want to treat 2nd factor auth as the 2nd step of login; if the user authenticates with 1st factor and then navigates away, on login they should authenticate with 1st factor again. This is e.g. how GitHub's auth flow works.

I can also imagine a keeping the user logged in with 1st factor if they abort 2nd factor auth being a security issue. The user might own the account but may be unable to authenticate with 2nd factor at the moment, and go to home page assuming that login failed. Then another person could come, see the 1st factor already being authenticated, and have an easier time hacking into the account.

The configuration I suggested involves clearing the session when the user makes a request to a non-MFA auth page after login. A page is considered MFA auth page if it's one of two_factor_auth_links, two_factor_auth_path or webauthn_auth_js_path. My solution unfortunately doesn't work with login_return_to_requested_location? and two_factor_auth_return_to_requested_location? being set to true, because those rely on login first redirecting to originally requested location, which would trigger the logout since it's a non-MFA page.

I wanted to check if you would be interested in supporting this MFA flow in Rodauth itself. If yes, I could spend some more time trying to implement this, and would appreciate any pointers you might have 🙁

[jeremyevans]

If you want to limit the entire application to only cases where you are two factor authenticated, adding require_authentication after r.rodauth and before any other routes should be sufficient, correct (and require_two_factor_setup if you want to require all users to have setup 2FA)? If not, can you tell me what I'm missing?

I certainly don't want to make changes to the default behavior, there are plenty of applications where 2FA is only needed for some actions and not the entire application.

[janko]

The difference is where require_authentication redirects if the user navigates away after authenticating with 1st factor but not 2nd factor (given that their account has MFA setup). In most apps I use, if I abort MFA auth and navigate to a page that requires authentication, this redirects to the login form, requiring the user to authenticate via 1st factor again.

In contrast, Rodauth remembers the user already authenticated via 1st factor before, and only asks for the 2nd factor. I'm wondering whether there is an easy way of getting the behavior above in Rodauth. What comes to mind now is overriding #require_authentication (haven't tested it yet):

auth_class_eval do
  def require_authentication
    clear_session if logged_in? && uses_two_factor_authentication && !two_factor_authenticated?
    super
  end
end

I wasn't looking to change the default behavior, just potentially providing a configuration option to get this behavior, since it seems more intuitive to me – the user didn't finish logging in, so they should repeat the login process when authentication is required.

[janko]

Or maybe just changing the 2FA required redirect is enough 🤦🏻‍♂️ (EDIT: this doesn't work, it requires some tweaks)

two_factor_auth_required { login_path }

The other apps I tested with (GitHub, HEY) take the user to the login page, but they still store that the user already authenticated with 1st factor in the session, so navigating to MFA auth page directly will allow skipping the 1st factor.

[jeremyevans]

The other apps I tested with (GitHub, HEY) take the user to the login page, but they still store that the user already authenticated with 1st factor in the session, so navigating to MFA auth page directly will allow skipping the 1st factor.

If you want to mirror GitHub/HEY authentication exactly, redirecting back to the login page is fine. In my opinion, that approach adds no security, and simply adds security theater, making it appear that you need to reauthenticate with the first factor when in fact you do not.

What you have described seems like a bug in their authentication systems. Either they should consider such a session not logged in, and require full reauthentication, or they should consider the session partially authenticated, and redirect to the second factor authentication page (as Rodauth does).

Unless you can think of a security benefit to the approach, I don't want to add an option for it.

[janko]

Thanks for your input, that makes sense 👍🏻 When I realized that these apps do in fact remember the 1st factor, it didn't feel right that they give the illusion that it was cleared, for the reasons you described. Logged in state should be kept in the session, and safely clearing it this scenario isn't trivial at all, so I also don't see the value in adding this option anymore. I'm thankful that I understand the rationale much better now 😊