Change re-authentication to only require a second factor rather than password and second factor and require authentication for more account management actions by mitchellhenke · Pull Request #8037 · 18F/identity-idp

mitchellhenke · 2023-03-21T15:31:35Z

🛠 Summary of changes

Follow-up to #8031

This PR intends to simplify some of the re-authentication requirements and improve account security within the IDP in two ways:

Require only a second factor authentication
- We currently require the user to enter their password and then 2FA, and this flow can be a bit fickle since it has to manage state across a few requests
- This also includes not allowing a remembered device cookie for the second factor re-authentication
Add re-authentication requirements to authentication-related account management actions like managing backup codes, etc.

It is behind a feature flag where the behavior should not change when it is disabled and it should be backwards and forwards compatible.

zachmargolis

LGTM, small questions, no big objections

spec/support/features/session_helper.rb

app/controllers/concerns/reauthentication_required_concern.rb

app/controllers/concerns/remember_device_concern.rb

app/controllers/concerns/mfa_setup_concern.rb

app/controllers/concerns/reauthentication_required_concern.rb

aduth

LGTM 👍

app/controllers/users/backup_code_setup_controller.rb

aduth · 2023-03-23T12:45:13Z

app/controllers/concerns/reauthentication_required_concern.rb

I know it's a hold-over, but... is this value used for anything?

Not that I can find. It's added in the original PR for this behavior, but I can't see that it's used for anything in it: https://github.com/18F/identity-idp/pull/507/files#diff-21b23b276c9228c6a6d1393e4f1ef35a90a49d7c9776cae93f395381990dea36R5

…password and second factor and require authentication for more account management actions changelog: User-Facing Improvements, Authentication, Change re-authentication to only require a second factor rather than password and second factor and require authentication for more account management actions

…tion if configured

mitchellhenke requested a review from a team March 21, 2023 15:31

zachmargolis approved these changes Mar 21, 2023

View reviewed changes

aduth reviewed Mar 21, 2023

View reviewed changes

app/controllers/concerns/reauthentication_required_concern.rb Outdated Show resolved Hide resolved

mitchellhenke force-pushed the mitchellhenke/reauthentication-required-2 branch 4 times, most recently from 390f05d to ae66066 Compare March 22, 2023 15:17

aduth approved these changes Mar 23, 2023

View reviewed changes

mitchellhenke force-pushed the mitchellhenke/reauthentication-required-2 branch from 4cef28b to b68b10c Compare March 24, 2023 19:19

Mitchell Henke added 10 commits March 24, 2023 15:18

add config

aee6246

use 2fa reauthentication in existing reauthentication if enabled

59543e0

use 2fa reauthentication in controllers that now require reauthentica…

5aa9710

…tion if configured

fix specs

51f1ce0

avoid duplicating before_action

6725792

do not store factor_to_change

e0bea8a

ensure feature flag coverage is complete

ed8cc4a

remove helper that's only used once

5196abd

add analytics

5e5fb18

mitchellhenke force-pushed the mitchellhenke/reauthentication-required-2 branch from b68b10c to 5e5fb18 Compare March 24, 2023 20:18

add before_action specs

d0a6b72

mitchellhenke merged commit e4d87ce into main Mar 24, 2023

mitchellhenke deleted the mitchellhenke/reauthentication-required-2 branch March 24, 2023 21:11

mitchellhenke mentioned this pull request Mar 27, 2023

Update re-authentication logic when confirming user is authenticated for 2FA setup #8076

Merged

aduth mentioned this pull request Mar 27, 2023

Deploy RC 266 to Prod #8080

Merged

This was referenced Apr 24, 2023

Require re-authentication for PIV/CAC setup from sign in process #8264

Merged

Switch to using constants for auth_method values #8315

Merged

mitchellhenke mentioned this pull request May 15, 2023

Remove handle_valid_otp method #8392

Merged

mitchellhenke mentioned this pull request Jul 3, 2023

Clean up feature flag for second factor reauthentication #8707

Merged

mitchellhenke mentioned this pull request Sep 14, 2023

Require recent authentication before deleting account #9183

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Change re-authentication to only require a second factor rather than password and second factor and require authentication for more account management actions#8037

Change re-authentication to only require a second factor rather than password and second factor and require authentication for more account management actions#8037
mitchellhenke merged 11 commits intomainfrom
mitchellhenke/reauthentication-required-2

mitchellhenke commented Mar 21, 2023

Uh oh!

zachmargolis left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aduth left a comment

Uh oh!

Uh oh!

aduth Mar 23, 2023

Uh oh!

mitchellhenke Mar 23, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

mitchellhenke commented Mar 21, 2023

🛠 Summary of changes

Uh oh!

zachmargolis left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aduth left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

aduth Mar 23, 2023

Choose a reason for hiding this comment

Uh oh!

mitchellhenke Mar 23, 2023

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants