LG-14261 Add attempt count to mfa setup auth events

[kevinsmaster5]

🎫 Ticket

Link to the relevant ticket:
LG-14261

🛠 Summary of changes

Adds a session token to track number of attempts when setting up an mfa type.
Total sum of attempts gets passed to analytics_events.
Backup codes are excluded since during setup they're added instantly.

📜 Testing Plan

Checklist of steps to confirm the changes.

• In a separate console run make watch_events
• http://localhost:3000 with existing or new account add MFA.
• Observe in the watch_events feed 'Multi-Factor Authentication Setup' that a predictable value for
  properties > event_properties > mfa_attempts is registered

Attempt count will increment by failing and retrying to add mfa for example:

• Webauthn (Face|Touch or security key) clicking cancel at the browser dialog before completing setup
• PIV test screen select a failing condition
• SMS/Voice enter (change) supplied auth code
• Auth App enter wrong auth code

👀 Screenshots

[kevinsmaster5]

Taking a look at second_factor_attempts_count to see if that might take the place of creating a session token.

[kevinsmaster5]

Taking a look at second_factor_attempts_count to see if that might take the place of creating a session token.

seems to only work for OTP.

[mdiarra3]

Looks good and seems to work locally, but wondering if theres a way for us to push this out to a helper or concern for the verification controllers.

[kevinsmaster5]

Looks good and seems to work locally, but wondering if theres a way for us to push this out to a helper or concern for the verification controllers.

Do you mean something like abstracting this sort of thing into a concern?

session[:piv_cac_attempts] ||= 0
session[:piv_cac_attempts] += 1

It does look repetitive since it's sort of identical in 4 places.

[kevinsmaster5]

Added suggestion from #11293 (review)

[aduth]

The ticket wants this to be included for both setup and verification attempts, but the pull request is currently focused on setup only.

[aduth]

If someone fails authenticating or setting up with one authentication method and then switches to another, what do we expect the mfa_attempts to be for that second MFA method? I think we wouldn't want to unfairly bias attempts for that second method based on failures with another method.

I think we should either only log the attempts for that individual method, or the log value should be a hash of attempts for each method. For both cases, I'd imagine the session value would be a hash of method-to-attempts.

[kevinsmaster5]

I think we should either only log the attempts for that individual method, or the log value should be a hash of attempts for each method. For both cases, I'd imagine the session value would be a hash of method-to-attempts.

So rather than
"event_properties": {
"success": true,
"errors": {},
"multi_factor_auth_method": "piv_cac",
"in_account_creation_flow": true,
"enabled_mfa_methods_count": 1,
"mfa_attempts": 1
},

Would we want to see something like
"event_properties": {
"success": true,
"errors": {},
"multi_factor_auth_method": "piv_cac",
"in_account_creation_flow": true,
"enabled_mfa_methods_count": 1,
"mfa_attempts": {
"piv_cac": 1
}
},

[aduth]

I think we could keep the logged value a single integer if we wanted, but in order to make sure that we're only logging attempts for that method, we'd need to track the attempts in the session as per-method (a hash).

So the session value would look something like the hash in your example, and getting the value from the session is something like user_session[:mfa_attempts][method].

[aduth]

I'm wondering if it'd be better to implement the incrementing

[voidlily]

can you rebase this branch to pick up changes to the reviewapp deploy process?

[aduth]

Do we log errors.personal_key and error_details.personal_key here? I'm surprised this would come up just now.

[kevinsmaster5]

It was in response to an error I was getting. I can take another look for more clarity.

[kevinsmaster5]

It was in the same spec that was exhibiting the session sensitive key error
./spec/features/legacy_passwords_spec.rb:61

1. legacy passwords signing in with an incorrect uak personal key digest does not grant access
   Failure/Error:
   raise PiiDetected, <<~ERROR
   track_event received pii key path: #{current_keypath.inspect}
   event: #{event} (#{constant_name})
   full event: #{attributes.inspect}
   allowlisted keypaths: #{pii_like_keypaths.inspect}
   ERROR

   FakeAnalytics::PiiDetected:
   track_event received pii key path: [:errors, :personal_key]
   event: Multi-Factor Authentication ()
   full event: {:success=>false, :errors=>{:personal_key=>["Incorrect personal key"]}, :error_details=>{:personal_key=>{:personal_key_incorrect=>true}}, :new_device=>true, :mfa_attempts=>{"personal_key"=>1}, :multi_factor_auth_method=>"personal-key", :enabled_mfa_methods_count=>1}
   allowlisted keypaths: [[:mfa_attempts, :otp], [:error_details, :personal_key]]

[aduth]

I'm not able to reproduce that test failure locally in your branch when removing this pii_like_keypaths code. Also, mfa_attempts.otp would never exist in the hash structure since you changed that in an earlier commit.

[aduth]

I think now that we're only tracking attempts for the current method, and because auth_method is a redundant property, it'd be nice if we logged the numeric value of attempts instead.

Suggested change

	mfa_attempts: {
	attempts: 1,
	auth_method: 'sms',
	},
	attempts: 1,

[kevinsmaster5]

Revised expected analytics event with e6ab87d

[aduth]

I'm not able to reproduce that test failure locally in your branch when removing this pii_like_keypaths code. Also, mfa_attempts.otp would never exist in the hash structure since you changed that in an earlier commit.

[aduth]

I don't think this is accurately counting attempts. If I sat on the WebAuthn setup page and refreshed the page, it would count that as an attempt, but that's not really an attempt. I think we'd want this inside the result.errors.present? check above.

[kevinsmaster5]

I moved it there. I don't honestly know why that works. Do we expect errors to be present every time?

[aduth]

I don't think we need these changes anymore?

[kevinsmaster5]

That's right. Those are removed.

[kevinsmaster5]

webauthn gets converted to a string when it's added to the session
[2] pry(#Users::WebauthnSetupController)> auth_method
=> :webauthn.1 |
[3] pry(#Users::WebauthnSetupController)> user_session[:mfa_attempts]

it would always set the increment to zero because the 2 values were coming out inequal

[kevinsmaster5]

Thinking it's because the auth method may or may not be set to "_platform" 🤔

[aduth]

Yes, that's a good call-out. The WebAuthn controller handles both Security Key and Face or Touch Unlock, and we probably want to differentiate with webauthn_platform vs. webauthn.

[aduth]

This reminds me that we have constants defined for each of the expected auth_method values. Using these might also help with issues normalizing to string, since session value should always be a string.

identity-idp/app/controllers/concerns/two_factor_authenticatable.rb

Lines 18 to 26 in f7fcb4c

	BACKUP_CODE = 'backup_code'
	PERSONAL_KEY = 'personal_key'
	PIV_CAC = 'piv_cac'
	REMEMBER_DEVICE = 'remember_device'
	SMS = 'sms'
	TOTP = 'totp'
	VOICE = 'voice'
	WEBAUTHN = 'webauthn'
	WEBAUTHN_PLATFORM = 'webauthn_platform'

[kevinsmaster5]

@aduth should this (and others relative to their constants) be

Suggested change

	increment_mfa_selection_attempt_count(:otp)
	increment_mfa_selection_attempt_count(TwoFactorAuthenticatable::AuthMethod::PIV_CAC)

for example regarding #11293 (comment)

[aduth]

Yeah like that, as appropriate for each method.

[kevinsmaster5]

Got that in there. It also made the change here #11293 (comment) no longer needed.

[aduth]

I still see the symbol :otp used here. Would we want to switch between TwoFactorAuthenticatable::AuthMethod::SMS or TwoFactorAuthenticatable::AuthMethod::VOICE like we're doing with WebAuthn, to be able to better differentiate what delivery method they're failing with?

[aduth]

We'll want to use the constant here as well, and incorporate 'webauthn_platform'.

Maybe we want a helper method to avoid noisy if else ?

def webauthn_auth_method
  if @platform_authenticator
    TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
  else
    TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
  end
end

[kevinsmaster5]

That works great - also for sms/voice.

[aduth]

One minor suggestion, but LGTM otherwise 👍

[aduth]

We can use your new helper method to simplify

Suggested change

	if @platform_authenticator
	increment_mfa_selection_attempt_count(
	TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM,
	)
	else
	increment_mfa_selection_attempt_count(
	TwoFactorAuthenticatable::AuthMethod::WEBAUTHN,
	)
	end
	increment_mfa_selection_attempt_count(webauthn_auth_method)

[kevinsmaster5]

oh right! thanks :)