Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Add explicit support for 2FA systems #280

Open
sshipway opened this issue Oct 13, 2019 · 3 comments
Open

[FEATURE] Add explicit support for 2FA systems #280

sshipway opened this issue Oct 13, 2019 · 3 comments
Assignees
@neilcook
Labels
enhancement

Comments

@sshipway
Copy link

Is your feature request related to a problem? Please describe.
Two-factor auth systems are currently able to use Weakforced protection. However, when using a 2FA system you might wish to say that, under certain conditions, a second factor is or is not required depending on history. For example, if a user is logging in from a 'home' country then a correct password is sufficient, but if from overseas then 2FA is necessary.

Describe the solution you'd like
The -1 response currently means 'deny'.
Adding a new standard response, -2, which means 'second factor required' would allow systems to handle this situation.
WFD would not handle this additional authentication of course but potentially an agent would take a -2 response to prompt for additional credentials before making a final call to WFD
This is backwards-compatible since -2 is currently a 'deny' state.

Describe alternatives you've considered
The system can already return a -2 of course but unless this state is in the API spec then it is always at risk of being used for something else in the future. Returning additional data in the other attributes is also possible but unless there is official support then it will discourage use.

This should not require any additional code changes but only a documentation change to reserve the -2 response code for this purpose. It might be worthwhile also reserving -3 to be 'three factors required' though that could be overkill and better handled via a secondary attribute.
@neilcook
Copy link
Collaborator

neilcook commented Oct 14, 2019
edited
Loading

Hmm, I'm loath to give an official way to tell the client to use MFA by adding additional return codes. The way I handle this in the weakforce-policy repo is to return "suspiciousLogin=1" in the additional attrs. I could add documentation for that, and make that the official way to indicate that something like MFA should be done.

@jonmoesli
Copy link

Is weakforce-policy repo public?

@neilcook
Copy link
Collaborator

neilcook commented Jan 6, 2021

Is weakforce-policy repo public?

No, it's a proprietary repo that is part of the "commercial" version of wforce sold by Open-Xchange (as "OX Abuse Shield").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neilcook neilcook

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sshipway @neilcook @jonmoesli