Feature Request - 2FA Remember me

alessandrobozzo

Good morning,

have you thought about integrating the cookie for 30 days as happens for all sites? So that I don't have to enter the MFA code every time from the same PC?

Bigbug

Hey! Wanted to request same thing…
it should remember device for some period of time to bypass 2fa in a secure fashion
although it makes me do more exercise as of now.. :-) it'll be a great addition!

Maury

thanks, I await your news.

johnny

We need to tread carefully on this, hopefully we will have a solution soon

wrongecho

How about.. New database table, something like: 2fa_tokens

2fa_token_id
2fa_token_secret
2fa_token_user_id
2fa_token_expires
2fa_token_last_used

If you check the "Remember me" on the 2FA page you get assigned a 14 day cookie with a token.

When you submit the token as a cookie as part of logging in, the token is checked that it matches one in the 2fa_tokens table for that user ID and isn't expired. If that passes, we skip 2FA for that login. Else, we show the 2FA form as normal.

User would be able to revoke their valid 2FA remember me tokens on the profile page.

Expires tokens are cleaned up by Cron.

psiiota

How about implementing FIDO2 as the 2nd auth factor? I feel this is most future-proof, and convenient. This way you could use fingerprint on the cellphone.

Bigbug

psiiota that would be great when logging in on smartphone/tablet but not relevant for desktops

psiiota

@johnny @wrongecho lbuchs/WebAuthn: A simple PHP WebAuthn (FIDO2) server library (github.com)

psiiota

Bigbug How would this be irrelevent for desktops? It is the only way I login to github…
The entire industry is moving to FIDO2 from TOTP codes. See: (3) Passkeys are HERE and they're SECURE! Learn this today... - YouTube

Bigbug

psiiota I meant it's specific to biometrics, you're right.

johnny

@Bigbug We use yubi-keys for the desktops and laptops and works great

wrongecho

I fully support FIDO2 (I think it's been on the future feature road map since before I started contributing), but it's important to remember not everyone wants the expense of passkeys on laptops/desktops.

alessandrobozzo

The idea of the FIDO keys is excellent, we also use it successfully to access Microsoft 365 for example. At the moment for ITFLOW at least the possibility that for 14 days on the device you always use is not required MFA every time during the day would be sufficient it happens to insert it even 7/8 times.

johnny

First step we just added a remember me option on the login page, more to come tommarow

see here

itflow-org/itflow3f2f405

psiiota

This does not seem to be working in mobile on chrome.

wrongecho

psiiota

Can you share an image of what you see instead of the button?

psiiota

Aah, I missed this was not yet working.