Skip to content

LG-11110: Allow user to reauthenticate with any MFA method in strict AAL2 setup#9304

Merged
aduth merged 5 commits intomainfrom
aduth-lg-11110-reauth-any-mfa
Oct 5, 2023
Merged

LG-11110: Allow user to reauthenticate with any MFA method in strict AAL2 setup#9304
aduth merged 5 commits intomainfrom
aduth-lg-11110-reauth-any-mfa

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Oct 3, 2023
edited
Loading

🎫 Ticket

LG-11110

🛠 Summary of changes

Fixes an issue where a user's MFA methods are filtered to PIV or phishing-resistant methods when prompted to reauthenticate after making a selection to set up a new, eligible strict AAL2 method, thereby preventing them from continuing if they don't already have one of these methods.

📜 Testing Plan

It can help to set reauthn_window to a low value in local development to force frequent reauthentication, e.g. 20 seconds in config/application.yml:

reauthn_window: 20
  1. Go to http://localhost:3000 in local development
  2. Create an account with phishable MFA method(s) (i.e. anything other than face/touch, PIV, or security key)
  3. Start OIDC Sample App in a separate terminal process
  4. Go to http://localhost:9292/?aal=2-phishing_resistant
  5. Click "Sign in"
  6. You should see an "additional authentication required" screen
  7. Choose an authentication to add and click "Continue"
  8. Continue to set up your new, stricter authentication method

Before: You would not have been successful, since you'd be prompted to reauthenticate, but you would see no options to use to reauthenticate.
After: You'll eventually be successful after reauthenticating with one of your existing methods.

👀 Screenshots

Before After
Screenshot 2023-10-03 at 12 56 40 PM Screenshot 2023-10-03 at 12 56 26 PM

@aduth
LG-11110: Allow user to reauthenticate with any MFA method
e58ae3f 
changelog: Bug Fixes, MFA Setup, Fix issue preventing user from reauthenticating with an existing MFA method when adding a new method for strict AAL2 request
@aduth aduth requested review from a team and mitchellhenke October 3, 2023 17:37
@aduth aduth changed the title LG-11110: Allow user to reauthenticate with any MFA method in strict AAL2 LG-11110: Allow user to reauthenticate with any MFA method in strict AAL2 setup Oct 3, 2023
kevinsmaster5
kevinsmaster5 approved these changes Oct 3, 2023
View reviewed changes
Copy link
Contributor

@kevinsmaster5 kevinsmaster5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good and testing proved the change works.

aduth
aduth commented Oct 4, 2023
View reviewed changes
@aduth aduth merged commit 734e0b8 into main Oct 5, 2023
@aduth aduth deleted the aduth-lg-11110-reauth-any-mfa branch October 5, 2023 13:12
@jmhooper jmhooper mentioned this pull request Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mitchellhenke mitchellhenke mitchellhenke approved these changes

@mdiarra3 mdiarra3 mdiarra3 approved these changes

@kevinsmaster5 kevinsmaster5 kevinsmaster5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aduth @mitchellhenke @mdiarra3 @kevinsmaster5