Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow each admin user to choose which 2fa providers to setup #273

Open
1 task done
willjones9 opened this issue Sep 9, 2020 · 16 comments
Open
1 task done

Allow each admin user to choose which 2fa providers to setup #273

willjones9 opened this issue Sep 9, 2020 · 16 comments
Assignees
Labels
Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label enhancement New feature or request Progress: dev in progress

Comments

@willjones9
Copy link

Preconditions

  • Magento 2.4.0
  • PHP 7.3 and 7.4

Steps to reproduce

Enable (and configure) the following 2FA providers:

  • Duo
  • Google
  • U2F.

Expected result

A user can choose between one of the three 2FA methods.

Actual result

Magento expects all three 2FA providers to be configured for every user account and it is not possible to pick and choose which provider is used on a per user basis.

  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.

Configuring multiple 2FA providers causes the system to see them all as forced providers, meaning that they have to be configured for each and every user in the system as opposed to allowing a user to choose between one of the enabled providers.

This is a problem, considering that merchants may wish to configure the second factor authentication method on a user or role basis. For example, store administrators may wish to use Duo, whereas employees dealing with order fulfillment (who perhaps don't need to access the admin area out of hours and not have mobile phones on them during their day) may need to use a U2F such as Yubikey or similar.

The current implementation does not allow for this use case, which seems like it should be a very obvious option that should be included.

@ihor-sviziev
Copy link
Contributor

ihor-sviziev commented Sep 10, 2020

2FA module was moved to https://github.com/magento/security-package/.
@sdzhepa @naydav could you move this issue into this repo?

@sdzhepa
Copy link
Contributor

sdzhepa commented Sep 11, 2020

Thank you @ihor-sviziev
cc: @willjones-stratagem
Transferred to security-package repo

@sdzhepa sdzhepa transferred this issue from magento/magento2 Sep 11, 2020
@m2-assistant
Copy link

m2-assistant bot commented Sep 11, 2020

Hi @willjones-stratagem. Thank you for your report.
To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this


@sdzhepa sdzhepa added the Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label label Sep 11, 2020
@sdzhepa sdzhepa added bug Something isn't working and removed Progress: ready for grooming labels Sep 11, 2020
@nathanjosiah
Copy link
Contributor

nathanjosiah commented Sep 11, 2020

@willjones-stratagem Thank you for the report! This is by design. Once a user has configured all enabled providers they are able to choose which one they want to authenticate with.

@nathanjosiah
Copy link
Contributor

To expand on my explanation, your users can configure the one they have access to at the time, then later when they have access to another they can configure the second one. You can skip configuration of a provider as long as you have at least one already configured. Once they have both configured they can simply choose which one they want to use at a given time.

@tschirmer
Copy link

tschirmer commented Nov 29, 2022

This is still broken in 2.4.5-p1. And doesn't look intentional. If it is by design, the designers need try using it.

The workflow is like this:

  • Install Magento 2.4.5-p1 on php 8.1

  • As a admin login you're presented with this:
    image

  • This then sets the following in the backend:
    image

  • Once this is set, the users are forced to use the Google Authenticator, and cannot choose the Yubikey:
    image

  • If you select "Use default values" on the provider config, and remove the selection:
    image

  • The users correctly show the options for the providers to login with:
    image

  • HOWEVER. This then forces the admin login to be presented with the following on login:
    image

  • Which then sets the config value, and forces the users to use the provider.

It appears to me that 2 configuration values are intended, a "Use config providers" and a "Force config providers", but only one is present (or unintentionally being set to "force" instead of "use").

@nathanjosiah
Copy link
Contributor

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

@alucardatem
Copy link

What about adding multiple yubikeys as backup keys ? as you know when getting a hardware based token, you would always need a backup key which you should register with the service that provides that @nathanjosiah

correct me if i am wrong however but there is the possibility to do so as in the encrypted stored json data

"u2fkey": { "registration": { "public_keys": [ { "key": "<PUBLIC KEY DATA>", "id": "<ID ???>", "aaguid": "<ANOTHER STRANGE VALUE>" }] }, "active": true }

Doesn't the above mean that we should be able to add in X yubikeys ? as an example ?
and what about recovery codes to be used ?

looking into all of the services that provide 2FA -> configuration should be doable from Admin panel as well on user level to add in 2FA / change the 2FA / add in new security keys as extra methods and have a list of generated backup codes

that is basic in regards to 2FA.

@nathanjosiah
Copy link
Contributor

@alucardatem yes, that is correct. The implementation was built with this forward-compatibility should it ever be implemented since it was a relatively common use case within u2f keys. However, u2f keys are not very common so there isn't a lot of push for this (or really any new 2fa features) and subsequently our product teams do not have anything on the roadmap at the moment for this feature. That said, something that may be of interest to you is that we do have something on the roadmap that would minimize the number of times you need to complete a 2fa challenge while using the same device. A sort of "remember me" feature.

@alucardatem
Copy link

@nathanjosiah - while the "remember me" feature is something nice to have, i think that users should have the possibility of changing the secret on the google auth ( re-implementing it or turning it off ) or having the option to use backup codes. but adding hardware tokens has become an essential security practice these days inside a lot of businesses and something like that inspires more trust to a merchant and a day to day operations user of the admin panel for a member of staff of client X from company Y, and would also take the load off a single administrator to issue "resets" every time someone "forgets" or loses the phone etc.

And to be honest, in this case at lease as i am seeing it combining the "remember me" for 2fa / login etc what it will be called ( similar to what last pass uses i would assume ) would be a really exciting feature and capability of magento which will put it ahead of competitors?

@diwipl
Copy link

diwipl commented Dec 20, 2022

@tschirmer When multiple providers are enabled, each user must configure all of them (or skip the configuration). Once they are configured each user can choose which provider to authenticate with at each login.

We have multiple cases in our customer base where some admins would like to use only google auth, others would like to use only hardware keys, and some would like to have both.

Currently, such a flow has really bad UX because in case an account has only one provider configured, the admin is forced to receive the email to configure the second one, and only after clicking the link in the email admin is able to click "Skip until next login" to use already configured provider.

Could you explain why skipping is not possible directly after the login screen (having of course at least one provider configured) without a need to receive an email and clicking on the link there?

@alucardatem
Copy link

Why is this closed ? and how can we set this to skip from the start and not go through X emails and bad workflows over this ?
as @diwipl mentioned we have also in our company users that have hardware keys and do not want a google 2FA / Authenticator app and people who want both and several individuals that use authy

now you can imagine that currently we have Google authenticator / authy / uf2 keys ==> that means that the person who uses the u2f key has to do skip on 2 emails before logging in.

@diwipl
Copy link

diwipl commented Mar 8, 2023

@alucardatem just for your information, since we cannot wait for Magento's official fix, we created a module that solves that issue: https://packagist.org/packages/creativestyle/magesuite-tfa-do-not-force-all-providers

@alucardatem
Copy link

alucardatem commented Mar 8, 2023

@diwipl - done something similar ( internally ) :D without the skip.. it is just the show all providers in order to login directly via that one

however do like the skip second activation. thank you

@fredden
Copy link
Member

fredden commented Mar 8, 2023

@nathanjosiah please can you re-open this so that it can be resolved properly.

@nathanjosiah
Copy link
Contributor

I'm going to look into this again. One of my teams may have availability to work on this.

@nathanjosiah nathanjosiah self-assigned this Mar 13, 2023
@nathanjosiah nathanjosiah added enhancement New feature or request and removed bug Something isn't working labels Mar 13, 2023
@nathanjosiah nathanjosiah changed the title 2.4.0: Configuring multiple 2FA providers requires all providers for all users Allow each admin user to choose which 2fa providers to setup Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component: 2FA Issues and Pull Requests related to Two Factor Authentication should be marked with this label enhancement New feature or request Progress: dev in progress
Projects
None yet
Development

No branches or pull requests

8 participants