Extend time for 2FA reauthentication when the session is used

digitalpoint said:
It would be nice if a device is being actively used wouldn't need to reauth 2FA every 30 days. Especially nice for the PWA app. Going to be terribly annoying when users have to re-login to the app all the time. Applies to the site as a whole, but especially PWA.
Click to expand...
Perhaps make the time between reauth an admin option?
 
Mendalla said:
I do find thirty days isn't onerous but I don't use the PWA so haven't seen how it interacts with MFA.
Click to expand...
It will be the same as a normal web browser as far as 2FA goes. Users will be more or less logged out of the "app" every 30 days and require re-authentication. I can definitely see how that's going to annoy users and at some point a large percentage of them will just stop re-authenticating. Imagine how you would feel as an end user if every app you had on your phone required you to re-authenticate every 30 days? Some apps are going to be worth the hassle, some aren't.
 
Mendalla said:
This happens for some of my work apps, in fact. A nuisance but a minor one, IMHO.
Click to expand...
Ya, but imagine it for apps that aren't necessary for things like work. Just "normal" consumer apps. Like I wouldn't order food from a restaurant app if I had to re-authenticate whenever I wanted to order food (in fact, I can think of 2 cases where I stopped ordering food from those places because I couldn't be bothered to log back in). Not saying people won't do it in some cases, but there's no reason to raise the barrier of use.
 
digitalpoint said:
It would be nice if a device is being actively used wouldn't need to reauth 2FA every 30 days.
Click to expand...
I was going to say that there's an add-on that offers this...but you coded it! 😁

Agreed, though. For me it's not a hassle with your add-on since I am using the "passkeys" option for the XF sites I manage. But otherwise, if I don't use email 2FA, having to find the right phone to run an authenticator app is a PITA. (I don't keep a phone tethered to me 24/7.) I would prefer it be an option in XF without an add-on so we could adjust it to our liking. Some members (our forums skew older) have issues with computers in general, and it's often a task every 30 days to walk them through 2FA which they can't figure out.

Having a separate setting for registered members and for staff (where I would want a shorter timeout for 2FA) would be helpful. Perhaps tying it into the permissions system?
 
wedgar said:
Perhaps make the time between reauth an admin option?
Click to expand...
That might still be too coarse - for example an admin may want to allow regular users to choose / have a longer validity time while staff is required to reauth more often.

I'd suggest to make maximum TFA validity time a usergroup permission, this IMHO would be the most flexible option.

Now if XenForo would also support WebAuthN and users use a smartphone with fingerprint sensor it shouldn't be too much hassle.
 
Yep agreed. Make WebAuthn native and as a bonus make the tfa account flag a number of tfa options rather than boolean. Then you could force user groups to have a minimum number of tfa options rather than forcing them to have an option. 1 would be the same as it works now, but 2 would require them to have a backup tfa option. I mean if we are dreaming here. 😀
 
Looks like the underlying suggestion would be fairly easy to do. You could still have TFA trusted by default for a hard-coded 30 days, but then an additional option to extend TFA trust by x days when a user starts a session from a cookie (\XF\Pub\App->loginFromRememberCookie()), during that process, simply extend how long you trust the existing TFA. That would allow TFA to still fall off as no longer valid if a user doesn't use the site from that device for an extended period of time, but if someone uses it often, it just keeps getting extended until they stop using it often.
 
digitalpoint said:
It would be nice if a device is being actively used wouldn't need to reauth 2FA every 30 days. Especially nice for the PWA app. Going to be terribly annoying when users have to re-login to the app all the time. Applies to the site as a whole, but especially PWA.
Click to expand...
Wouldn't that default the purpose of a 2FA though?

Just out of curiosity.
 
digitalpoint said:
It would be nice if a device is being actively used wouldn't need to reauth 2FA every 30 days. Especially nice for the PWA app. Going to be terribly annoying when users have to re-login to the app all the time. Applies to the site as a whole, but especially PWA.
Click to expand...
JordanH said:
Wouldn't that default the purpose of a 2FA though?

Just out of curiosity.
Click to expand...
I have the same question, with curiosity.
In what use case are you mandating 2FA, or users are wanting it and activating it, but that the 30 day timeout is too onerous? The whole point of 2FA is security, and if you or users are wanting security, then anything beyond 30 days arguably becomes quite risky.
 
Mouth said:
I have the same question, with curiosity.
In what use case are you mandating 2FA, or users are wanting it and activating it, but that the 30 day timeout is too onerous? The whole point of 2FA is security, and if you or users are wanting security, then anything beyond 30 days arguably becomes quite risky.
Click to expand...
Is there actually any evidence behind that 30 days, though, or is it just that someone, somewhere settled on a month as a reasonable balance between security and convenience and everyone else followed suit. Are we really that much less secure if it is 60 or 90 days for an ordinary user? I suspect ordinary users are fine at 90, with staff at 30 due to the greater sensitivity of some of what they can do.
 
Well I’m mostly talking about the context of the PWA app. As an example, the Gmail app doesn’t require you to redo TFA every 30 days (or ever as far as I’ve seen). Pretty sure most people would consider access to their email something that should have a higher priority of protection than your average XenForo account. So is Google doing security wrong because they are forcing users to re-authenticate every 30 days in their apps? Same with my banking app. TFA is only required on initial log-in, not on subsequent ones.

And yes… there a balance between security and convenience. Too much security requirements and users will disable TFA and you lose the security you are trying to repeatedly enforce on them. Or in the case of the PWA app, users will stop using it because they don’t want to re-authenticate every 30 days. A standard user’s XenForo account is not more important than their Google or bank accounts, but they are being forced to do TFA on every device they use every 30 days. Between my computer, iPad, iPhone and now PWA app, I average needing to do a new TFA auth here on XenForo every 7 days. Meanwhile my bank account and Google accounts just keep on working fine without all that.

I’ll probably just end disabling TFA and rely on a good password to work around it on this site. Which again… sort of defeats the purpose when you make TFA annoying enough that users go out of their way to disable it.
 
Coincidentally, I just now had to do it for the 100th time on this device.

1682521140633.png

I'm over it... I don't want to be logging into XF PWA continuously. I bit the bullet and disabled TFA here. My password here is unique and is the equivalent of 2048 bit encryption key. Have at it... 😂
 
digitalpoint said:
Gmail app doesn’t require you to redo TFA every 30 days (or ever as far as I’ve seen)
Click to expand...
Really? If I log into gmail on one of my emails on my desktop, it asked me to confirm it on my phone every single time and it's really annoying xD

Edit:
But then this discussion is regarding the PWA not the website on a desktop so nvm xD
 
Back
Top Bottom