Add mfa_weakest_device to UserStatusV2
#46957
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33d97a0 to
c506141
Compare
4dcc8dd to
e5642a4
Compare
10b39bb to
15290fe
Compare
|
🤖 Vercel preview here: https://docs-adv6j0ldi-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-i8l5ofdmr-goteleport.vercel.app/docs/ver/preview |
15290fe to
a523f08
Compare
|
🤖 Vercel preview here: https://docs-gmg46yr41-goteleport.vercel.app/docs/ver/preview |
rosstimothy
reviewed
Oct 2, 2024
codingllama
reviewed
Oct 2, 2024
| @@ -352,6 +352,12 @@ func userFromUserItems(name string, items userItems) (*types.UserV2, error) { | |||
| return nil, trace.Wrap(err) | |||
| } | |||
| user.SetLocalAuth(auth) | |||
|
|
|||
| if auth != nil { | |||
There was a problem hiding this comment.
Suggestion: I would split the new definitions (and more mundane code changes) and new code additions into separate PRs. That would make 2 smaller, more focused PRs, which should make for easier reviews. (It would hopefully touch less files at once too.)
There was a problem hiding this comment.
(No need to split it now, but consider that for future PRs.)
| // MFA device is known to be configured using TOTP as the weakest form of MFA. | ||
| MFA_STATE_TOTP = 2; | ||
| // MFA device is known to be configured using U2F as the weakest form of MFA. | ||
| MFA_STATE_U2F = 3; |
There was a problem hiding this comment.
Do we need to distinguish between U2F and WEBAUTHN? Why not call both WEBAUTHN?
There was a problem hiding this comment.
I wanted to distinguish when a user has a webauthn only configured vs when he has a u2f given that U2F can't be used to passwordless login to teleport.
There was a problem hiding this comment.
WEBAUTHN doesn't necessarily mean passkey either, so I think the distinction is moot. All we would detect here are users with relatively old devices / clusters. I would still combine U2F and WEBAUTHN and only re-introduce U2F if we really cared about it specifically.
|
🤖 Vercel preview here: https://docs-9o2pskc35-goteleport.vercel.app/docs/ver/preview |
|
🤖 Vercel preview here: https://docs-2ih7nl0rc-goteleport.vercel.app/docs/ver/preview |
codingllama
reviewed
Oct 2, 2024
codingllama
approved these changes
Oct 2, 2024
|
🤖 Vercel preview here: https://docs-mqrqac8bm-goteleport.vercel.app/docs/ver/preview |
rosstimothy
approved these changes
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
mfa_device_state to UserStatusV2mfa_weakest_device to UserStatusV2
cd00d9b to
8fd80cd
Compare
|
🤖 Vercel preview here: https://docs-4alswr5g8-goteleport.vercel.app/docs/ver/preview |
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
tigrato
added a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 2, 2024
This PR introduces the `mfa_weakest_device` value which is used to specify the weakest MFA device for the account. When a user has no MFA device, it's set to `MFA_DEVICE_KIND_UNSET`. When a user has at least one TOTP device, it's set to `MFA_DEVICE_KIND_TOTP`. When a user ONLY has webauthn or U2F devices, it's set to `MFA_DEVICE_KIND_WEBAUTHN`. This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the
mfa_weakest_devicevalue which is used to specify the weakest MFA device for the account.When a user has no MFA device, it's set to
MFA_DEVICE_KIND_UNSET.When a user has at least one TOTP device, it's set to
MFA_DEVICE_KIND_TOTP.When a user ONLY has webauthn or U2F devices, it's set to
MFA_DEVICE_KIND_WEBAUTHN.This newly introduced field will be utilized by Access Graph to identify insecure patterns that could be potential phishing attack targets, particularly for users without MFA devices or those using TOTP devices.