Add mfa_weakest_device to UserStatusV2#46957
Merged
Conversation
tigrato
force-pushed
the
tigrato/add-status-mfa-device
branch
from
33d97a0 to
c506141
Compare
tigrato
force-pushed
the
tigrato/add-status-mfa-device
branch
from
4dcc8dd to
e5642a4
Compare
tigrato
added
backport/branch/v14
no-changelog
tigrato
force-pushed
the
tigrato/add-status-mfa-device
branch
from
10b39bb to
15290fe
Compare
Contributor
|
🤖 Vercel preview here: https://docs-adv6j0ldi-goteleport.vercel.app/docs/ver/preview |
Contributor
|
🤖 Vercel preview here: https://docs-i8l5ofdmr-goteleport.vercel.app/docs/ver/preview |
tigrato
force-pushed
the
tigrato/add-status-mfa-device
branch
from
15290fe to
a523f08
Compare
Contributor
|
🤖 Vercel preview here: https://docs-gmg46yr41-goteleport.vercel.app/docs/ver/preview |
rosstimothy
reviewed
Oct 2, 2024
codingllama
reviewed
Oct 2, 2024
| } | ||
| user.SetLocalAuth(auth) | ||
|
|
||
| if auth != nil { |
Contributor
There was a problem hiding this comment.
Suggestion: I would split the new definitions (and more mundane code changes) and new code additions into separate PRs. That would make 2 smaller, more focused PRs, which should make for easier reviews. (It would hopefully touch less files at once too.)
Contributor
There was a problem hiding this comment.
(No need to split it now, but consider that for future PRs.)
| // MFA device is known to be configured using TOTP as the weakest form of MFA. | ||
| MFA_STATE_TOTP = 2; | ||
| // MFA device is known to be configured using U2F as the weakest form of MFA. | ||
| MFA_STATE_U2F = 3; |
Contributor
There was a problem hiding this comment.
Do we need to distinguish between U2F and WEBAUTHN? Why not call both WEBAUTHN?
Contributor
Author
There was a problem hiding this comment.
I wanted to distinguish when a user has a webauthn only configured vs when he has a u2f given that U2F can't be used to passwordless login to teleport.
Contributor
There was a problem hiding this comment.
WEBAUTHN doesn't necessarily mean passkey either, so I think the distinction is moot. All we would detect here are users with relatively old devices / clusters. I would still combine U2F and WEBAUTHN and only re-introduce U2F if we really cared about it specifically.
Contributor
|
🤖 Vercel preview here: https://docs-9o2pskc35-goteleport.vercel.app/docs/ver/preview |
Contributor
|
🤖 Vercel preview here: https://docs-2ih7nl0rc-goteleport.vercel.app/docs/ver/preview |
codingllama
reviewed
Oct 2, 2024
codingllama
approved these changes
Oct 2, 2024
Contributor
|
🤖 Vercel preview here: https://docs-mqrqac8bm-goteleport.vercel.app/docs/ver/preview |
rosstimothy
approved these changes
Oct 2, 2024
Contributor
rosstimothy
left a comment
rosstimothy
left a comment
There was a problem hiding this comment.
You might want to update the title/description and commit message to replace mfa_device_state with mfa_weakest_device
public-teleport-github-review-bot
Bot
removed the request for review
from eriktate
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
tigrato
changed the title
mfa_device_state to UserStatusV2mfa_weakest_device to UserStatusV2
tigrato
force-pushed
the
tigrato/add-status-mfa-device
branch
from
cd00d9b to
8fd80cd
Compare
Contributor
|
🤖 Vercel preview here: https://docs-4alswr5g8-goteleport.vercel.app/docs/ver/preview |
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces the
mfa_weakest_devicevalue which is used to specify the weakest MFA device for the account.When a user has no MFA device, it's set to
MFA_DEVICE_KIND_UNSET.When a user has at least one TOTP device, it's set to
MFA_DEVICE_KIND_TOTP.When a user ONLY has webauthn or U2F devices, it's set to
MFA_DEVICE_KIND_WEBAUTHN.This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.