1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Deactivating 2FA is too easy

Discussion in 'General XenForo Discussion and Feedback' started by rugk, Aug 29, 2015.

  1. rugk

    rugk Active Member

    Let's take the following scenario: An attacker has gained access to the users password and one of these requirements:
    • he has access to the device where the user selected 'remember this device for 30 days' or
    • he can somehow bypass the login 2FA, because the user has selected 'remember this device for 30 days' on a device and he has stolen/intercepted the cookie or whatever is used for remembering this or
    • he is in front of the device where the user is just logged in

    In this case he can easily deactivate the 2FA. The only thing he has to do is entering the users password. The problem is that there is no 2FA required before deactivating (or otherwise modifying) the 2FA.
    The same also applies to the password change. An attacker there also just have to enter the old password (and not pass the 2FA) to change it.
    rafass and Fred. like this.
  2. Mike

    Mike XenForo Developer Staff Member

    2FA isn't designed to block the scenarios you're referring to. 2FA specifically covers gaining access only to the password (such as via phishing, reuse, compromise, etc). It blocks you from gaining access to the account, not from taking actions when you already have access to the account or a device. The change you're proposing would create many more situations where a user could not manipulate their 2FA settings legitimately (such as by losing the phone with the app on it).

    I would also note that Google takes the identical approach.
  3. rugk

    rugk Active Member

    AFAIK Google sends an email when the 2FA is deactivated.
    This at least notifies the user that something has changed there.
  4. Chris D

    Chris D XenForo Developer Staff Member

    I was curious; that is correct - they do send a notification email when 2FA is activated or deactivated. Other than that, the implementation is basically the same - there was no second factor needed when disabling 2FA.
  5. feldon30

    feldon30 Well-Known Member

    It's two factor authentication. If you have both factors, you have access.
  6. rugk

    rugk Active Member

    The issue in my explanation was that you only need to have one factor (password) and a kind of weakness, like a logged-in user.
    The basic thing is that the old 2FA code is not required before entering a new one or disabling it. (if you image the same with a password you would also say this is bad)

    Maybe that's a theoretical issue and maybe other companies make the same thing, but IMO it's something which is worth thinking about.
  7. md_5

    md_5 Well-Known Member

    I agree with this, and it's a common thing in other sites. 2fa should be required to disable 2fa.
    rugk and Fred. like this.
  8. Divvens

    Divvens Well-Known Member

    Not sure what you mean by "common" but Google & Facebook deactivate 2FA without requiring anything but your password.

Share This Page