Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems when Biometrics is default 2FA metod #130

Closed
MrPanNikt opened this issue Nov 17, 2020 · 3 comments
Closed

Problems when Biometrics is default 2FA metod #130

MrPanNikt opened this issue Nov 17, 2020 · 3 comments
Labels
question wontfix

Comments

@MrPanNikt
Copy link

Hello,

I have a problem and a suggestion.

Users having set Biometrics as the default 2FA method and logging in from a new device will receive a confusing message about using a USB token. There is no clear message that the device is not registered and must be registered in order to use Biometrics. This seems problematic to me, especially if the cheese has several logging devices and sometimes changes them.

It seems to me that the appearance of a clear message about the lack of device registration would be sufficient, but if the application itself informed that the user on this device can only use the verification code or e-mail, it would be better.
The best solution in this case would be for the application with 2FA (if the user would have the biometrics set as default) ask the user to configure the device to be able to continue using biometrics.
@redhook62
Copy link
Member

redhook62 commented Nov 17, 2020
edited
Loading

Hi @MrPanNikt

Users having set Biometrics as the default 2FA method and logging in from a new device will receive a confusing message about using a USB token. There is no clear message that the device is not registered and must be registered in order to use Biometrics. This seems problematic to me, especially if the cheese has several logging devices and sometimes changes them.

Yes, this is completely normal and it is a W3C recommendation shown at the following link: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.
No information should not be divulged.
moreover it is the Authentication (device) which returns the error message and we have no way to get more information.

It seems to me that the appearance of a clear message about the lack of device registration would be sufficient, but if the application itself informed that the user on this device can only use the verification code or e-mail, it would be better.

As indicated previously we cannot specify a particular type of message (error, missing device, ...)
We do not know why there is an error or a cancellation carried out by the user.
for example the user can cancel to then check the access to the options, and validate his access.

Now, to change the validation mode there is a link (since version 1.0) "I don't have the code". maybe this wording does not suit you and should be changed, but like all major platforms this link exists.
"Sing in another way" like Microsoft, can it be appropriate ?

The best solution in this case would be for the application with 2FA (if the user would have the biometrics set as default) ask the user to configure the device to be able to continue using biometrics.

No, it would be a huge security flaw
a recovered password will allow the hacker to register his own device and, in addition to the application target, to access the user's security settings (Mail, Phone, devices)

regards

@MrPanNikt
Copy link
Author

Hi,
I do not fully agree that we are showing the way to attack, because when logging in, we receive information that MFA is trying to use biometrics to log in as a second factor. This is a clear message that biometrics is set as 2FA, so I don't understand why not inform that this device is not registered? This is how applications work, for example Octa, microsoft etc. If we go to the sub-contract login and 2FA is set to Biometrics, the application will notify that this device cannot be logged in using the selected method. This is a clear message that the user must choose a different login method to reconfigure the device, this can be included in the user manual.

I think changing "I don't have the code" to "Sing in another way" would also help.

regards

@redhook62
Copy link
Member

Hi,

Ok, for the label "Sign in another way" in next version. this is the message proposed by Microsoft, and there no more option before clicking this link.

As we said, the message is done by the authenticator, no information indicating that the current device is not registered !
Unknown ! it is your user or someone else ???

All Authenticators provide a spécific way to deal with this situation. On Android the authentication propose a list of possible options and Windows Hello indicates précisely to take a registered device (better)

image

And Allow the user to chose the registered devices enrolled with your ADFS

image

Octa, Microsoft, Google, Facebook and others, can do what they want...

On our side we will remain on the possibility of changing the authentication method "Sign in another way" (Like Microsoft with Azure or Office 365).
for the rest it is up to the device to correctly warn the user,
if the user's authenticator transmits another more explicit message, no problem it will be displayed.

regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@redhook62 @MrPanNikt