LG-14261 Add attempt count to mfa setup auth events

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -12,16 +12,19 @@ def auth_methods_session
   end
 
   def handle_verification_for_authentication_context(result:, auth_method:, extra_analytics: nil)
+    increment_mfa_selection_attempt_count(auth_method)
     analytics.multi_factor_auth(
       **result.to_h,
       multi_factor_auth_method: auth_method,
       enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
       new_device: new_device?,
       **extra_analytics.to_h,
+      attempts: mfa_attempts_count,
     )
 
     if result.success?
       handle_valid_verification_for_authentication_context(auth_method:)
+      user_session.delete(:mfa_attempts)
     else
       handle_invalid_verification_for_authentication_context
     end
@@ -113,6 +116,20 @@ def handle_remember_device_preference(remember_device_preference)
     save_remember_device_preference(remember_device_preference)
   end
 
+  def increment_mfa_selection_attempt_count(auth_method)
+    user_session[:mfa_attempts] ||= {}
+    user_session[:mfa_attempts][:attempts] ||= 0
+    if user_session[:mfa_attempts][:auth_method] != auth_method
+      user_session[:mfa_attempts][:attempts] = 0
+    end
+    user_session[:mfa_attempts][:attempts] += 1
+    user_session[:mfa_attempts][:auth_method] = auth_method
+  end
+
+  def mfa_attempts_count
+    user_session.dig(:mfa_attempts, :attempts)
+  end
+
   # Method will be renamed in the next refactor.
   # You can pass in any "type" with a corresponding I18n key in
   # two_factor_authentication.invalid_#{type}

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -20,6 +20,9 @@ def show
     end
 
     def create
+      if UserSessionContext.confirmation_context?(context)
+        increment_mfa_selection_attempt_count(otp_auth_method)
+      end
       result = otp_verification_form.submit
       post_analytics(result)
 
@@ -41,13 +44,22 @@ def create
         end
 
         reset_otp_session_data
+        user_session.delete(:mfa_attempts)
       else
         handle_invalid_otp(type: 'otp')
       end
     end
 
     private
 
+    def otp_auth_method
+      if params[:otp_delivery_preference] == 'sms'
+        TwoFactorAuthenticatable::AuthMethod::SMS
+      else
+        TwoFactorAuthenticatable::AuthMethod::VOICE
+      end
+    end
+
     def handle_valid_confirmation_otp
       assign_phone
       track_mfa_added
@@ -155,6 +167,7 @@ def analytics_properties
         phone_configuration_id: phone_configuration&.id,
         in_account_creation_flow: user_session[:in_account_creation_flow] || false,
         enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
+        attempts: mfa_attempts_count,
       }
     end
 

app/controllers/two_factor_authentication/totp_verification_controller.rb

@@ -25,7 +25,6 @@ def create
         result:,
         auth_method: TwoFactorAuthenticatable::AuthMethod::TOTP,
       )
-
       if result.success?
         handle_remember_device_preference(params[:remember_device])
         redirect_to after_sign_in_path_for(current_user)

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -66,11 +66,13 @@ def piv_cac_service_url_with_redirect
     end
 
     def process_piv_cac_setup
+      increment_mfa_selection_attempt_count(TwoFactorAuthenticatable::AuthMethod::PIV_CAC)
       result = user_piv_cac_form.submit
       properties = result.to_h.merge(analytics_properties)
       analytics.multi_factor_auth_setup(**properties)
       if result.success?
         process_valid_submission
+        user_session.delete(:mfa_attempts)
       else
         process_invalid_submission
       end
@@ -126,6 +128,7 @@ def analytics_properties
       {
         in_account_creation_flow: user_session[:in_account_creation_flow] || false,
         enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
+        attempts: mfa_attempts_count,
       }
     end
 

app/controllers/users/totp_setup_controller.rb

@@ -26,12 +26,13 @@ def new
 
     def confirm
       result = totp_setup_form.submit
-
+      increment_mfa_selection_attempt_count(TwoFactorAuthenticatable::AuthMethod::TOTP)
       properties = result.to_h.merge(analytics_properties)
       analytics.multi_factor_auth_setup(**properties)
 
       if result.success?
         process_valid_code
+        user_session.delete(:mfa_attempts)
       else
         process_invalid_code
       end
@@ -118,6 +119,7 @@ def analytics_properties
       {
         in_account_creation_flow: in_account_creation_flow?,
         pii_like_keypaths: [[:mfa_method_counts, :phone]],
+        attempts: mfa_attempts_count,
       }
     end
   end

app/controllers/users/webauthn_setup_controller.rb

@@ -43,6 +43,7 @@ def new
       @need_to_set_up_additional_mfa = need_to_set_up_additional_mfa?
 
       if result.errors.present?
+        increment_mfa_selection_attempt_count(webauthn_auth_method)
         analytics.webauthn_setup_submitted(
           platform_authenticator: form.platform_authenticator?,
           errors: result.errors,
@@ -54,6 +55,7 @@ def new
     end
 
     def confirm
+      increment_mfa_selection_attempt_count(webauthn_auth_method)
       form = WebauthnSetupForm.new(
         user: current_user,
         user_session: user_session,
@@ -71,9 +73,9 @@ def confirm
       )
       properties = result.to_h.merge(analytics_properties)
       analytics.multi_factor_auth_setup(**properties)
-
       if result.success?
         process_valid_webauthn(form)
+        user_session.delete(:mfa_attempts)
       else
         flash.now[:error] = result.first_error_message
         render :new
@@ -89,6 +91,14 @@ def validate_existing_platform_authenticator
      end
     end
 
+    def webauthn_auth_method
+      if @platform_authenticator
+        TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
+      else
+        TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
+      end
+    end
+
     def platform_authenticator?
       params[:platform] == 'true'
     end
@@ -141,6 +151,7 @@ def process_valid_webauthn(form)
     def analytics_properties
       {
         in_account_creation_flow: user_session[:in_account_creation_flow] || false,
+        attempts: mfa_attempts_count,
       }
     end
 

app/services/analytics_events.rb

@@ -4905,6 +4905,7 @@ def logout_initiated(
   # @param [Boolean] new_device Whether the user is authenticating from a new device
   # @param [String] multi_factor_auth_method Authentication method used
   # @param [String] multi_factor_auth_method_created_at When the authentication method was created
+  # @param [Integer] attempts number of MFA setup attempts
   # @param [Integer] auth_app_configuration_id Database ID of authentication app configuration
   # @param [Integer] piv_cac_configuration_id Database ID of PIV/CAC configuration
   # @param [String] piv_cac_configuration_dn_uuid PIV/CAC X509 distinguished name UUID
@@ -4928,6 +4929,7 @@ def multi_factor_auth(
     errors: nil,
     error_details: nil,
     context: nil,
+    attempts: nil,
     multi_factor_auth_method_created_at: nil,
     auth_app_configuration_id: nil,
     piv_cac_configuration_id: nil,
@@ -4951,6 +4953,7 @@ def multi_factor_auth(
       error_details:,
       context:,
       new_device:,
+      attempts:,
       multi_factor_auth_method:,
       multi_factor_auth_method_created_at:,
       auth_app_configuration_id:,
@@ -4998,17 +5001,20 @@ def multi_factor_auth_added_phone(
   # @param [Integer] enabled_mfa_methods_count Number of enabled MFA methods on the account
   # @param [Boolean] in_account_creation_flow whether user is going through creation flow
   # @param ['piv_cac'] method_name Authentication method added
+  # @param [Integer] attempts number of MFA setup attempts
   def multi_factor_auth_added_piv_cac(
     enabled_mfa_methods_count:,
     in_account_creation_flow:,
     method_name: :piv_cac,
+    attempts: nil,
     **extra
   )
     track_event(
       :multi_factor_auth_added_piv_cac,
       method_name:,
       enabled_mfa_methods_count:,
       in_account_creation_flow:,
+      attempts:,
       **extra,
     )
   end
@@ -5048,6 +5054,7 @@ def multi_factor_auth_enter_backup_code_visit(context:, **extra)
   end
 
   # @param ["authentication", "reauthentication", "confirmation"] context User session context
+  # @param [Integer] attempts number of MFA setup attempts
   # @param [String] multi_factor_auth_method
   # @param [Boolean] confirmation_for_add_phone
   # @param [Integer] phone_configuration_id
@@ -5067,11 +5074,13 @@ def multi_factor_auth_enter_otp_visit(
     phone_fingerprint:,
     in_account_creation_flow:,
     enabled_mfa_methods_count:,
+    attempts: nil,
     **extra
   )
     track_event(
       'Multi-Factor Authentication: enter OTP visited',
       context:,
+      attempts:,
       multi_factor_auth_method:,
       confirmation_for_add_phone:,
       phone_configuration_id:,
@@ -5247,6 +5256,7 @@ def multi_factor_auth_phone_setup(
   # @param [String, nil] key_id PIV/CAC key_id from PKI service
   # @param [Hash] mfa_method_counts Hash of MFA method with the number of that method on the account
   # @param [Hash] authenticator_data_flags WebAuthn authenticator data flags
+  # @param [Integer] attempts number of MFA setup attempts
   # @param [String, nil] aaguid AAGUID value of WebAuthn device
   # @param [String[], nil] unknown_transports Array of unrecognized WebAuthn transports, intended to
   # be used in case of future specification changes.
@@ -5270,6 +5280,7 @@ def multi_factor_auth_setup(
     key_id: nil,
     mfa_method_counts: nil,
     authenticator_data_flags: nil,
+    attempts: nil,
     aaguid: nil,
     unknown_transports: nil,
     **extra
@@ -5295,6 +5306,7 @@ def multi_factor_auth_setup(
       key_id:,
       mfa_method_counts:,
       authenticator_data_flags:,
+      attempts:,
       aaguid:,
       unknown_transports:,
       **extra,
@@ -5947,11 +5959,18 @@ def piv_cac_recommended_visited
   # Tracks when user's piv cac setup
   # @param [Boolean] in_account_creation_flow Whether user is going through account creation
   # @param [Integer] enabled_mfa_methods_count Number of enabled MFA methods on the account
-  def piv_cac_setup_visited(in_account_creation_flow:, enabled_mfa_methods_count: nil, **extra)
+  # @param [Integer] attempts number of MFA setup attempts
+  def piv_cac_setup_visited(
+    in_account_creation_flow:,
+    enabled_mfa_methods_count: nil,
+    attempts: nil,
+    **extra
+  )
     track_event(
       :piv_cac_setup_visited,
       in_account_creation_flow:,
       enabled_mfa_methods_count:,
+      attempts:,
       **extra,
     )
   end

spec/controllers/concerns/two_factor_authenticatable_methods_spec.rb

@@ -36,6 +36,7 @@
           multi_factor_auth_method: TwoFactorAuthenticatable::AuthMethod::REMEMBER_DEVICE,
           enabled_mfa_methods_count: 0,
           new_device: true,
+          attempts: 1,
         )
       end
 
@@ -189,6 +190,7 @@
           multi_factor_auth_method: TwoFactorAuthenticatable::AuthMethod::SMS,
           enabled_mfa_methods_count: 1,
           new_device: true,
+          attempts: 1,
         )
       end
 
@@ -197,5 +199,33 @@
         expect(user.events.last.event_type).to eq('sign_in_unsuccessful_2fa')
       end
     end
+
+    context 'user switches mfa after unsuccessful attempt' do
+      let(:user) { create(:user, :fully_registered) }
+      let(:auth_method) { TwoFactorAuthenticatable::AuthMethod::SMS }
+      before do
+        allow(controller).to receive(:user_session).and_return(
+          mfa_attempts: {
+            auth_method: 'piv_cac', attempts: 2
+          },
+        )
+      end
+
+      it 'tracks multi-factor authentication event with the expected number of attempts' do
+        stub_analytics
+
+        result
+
+        expect(@analytics).to have_logged_event(
+          'Multi-Factor Authentication',
+          success: true,
+          errors: {},
+          multi_factor_auth_method: TwoFactorAuthenticatable::AuthMethod::SMS,
+          enabled_mfa_methods_count: 1,
+          new_device: true,
+          attempts: 1,
+        )
+      end
+    end
   end
 end

spec/controllers/two_factor_authentication/backup_code_verification_controller_spec.rb

@@ -41,6 +41,7 @@
             multi_factor_auth_method_created_at: Time.zone.now.strftime('%s%L'),
             enabled_mfa_methods_count: 1,
             new_device: true,
+            attempts: 1,
           )
 
           expect(subject.user_session[:auth_events]).to eq(
@@ -97,6 +98,7 @@
             multi_factor_auth_method_created_at: Time.zone.now.strftime('%s%L'),
             enabled_mfa_methods_count: 1,
             new_device: true,
+            attempts: 1,
           )
           expect(@analytics).to have_logged_event(
             'User marked authenticated',
@@ -175,6 +177,7 @@
           multi_factor_auth_method: 'backup_code',
           enabled_mfa_methods_count: 1,
           new_device: true,
+          attempts: 1,
         )
         expect(@analytics).to have_logged_event('Multi-Factor Authentication: max attempts reached')
       end