Extend time for 2FA reauthentication when the session is used

[digitalpoint]

It would be nice if a device is being actively used wouldn't need to reauth 2FA every 30 days. Especially nice for the PWA app. Going to be terribly annoying when users have to re-login to the app all the time. Applies to the site as a whole, but especially PWA.

 

[Mendalla]

Really? If I log into gmail on one of my emails on my desktop, it asked me to confirm it on my phone every single time and it's really annoying xD

Hm. Not I. Might be a setting in your Google settings.

Ya, I rolled it into that for the next release.

I am really interested in your security add-on from a professional IT standpoint but I'm not sure my site really needs it. And I am stepping back from day-to-day admin work so I wouldn't be the one implementing it anyhow (though the other admin has a background in IT security so might be interested herself).

 

[Kirby]

In what use case are you mandating 2FA, or users are wanting it and activating it, but that the 30 day timeout is too onerous? The whole point of 2FA is security, and if you or users are wanting security, then anything beyond 30 days arguably becomes quite risky.

I'd say it pretty much depends on your threat model.

2FA as currentlx implemented in XenForo can protect against

1. Unauthorized use of an account via login with a valid password on an untrusted device
2. Unauthorized use of an account via user remember key on an untrusted device
3. Unauthorized use of a logged in account on a trusted device after 30 days
4. Unauthorized use of tokens (user remember key and tfa trust key) after 30 days

IMHO scenario 1) is the most likely threat, for this case it doesn't matter how long a device is trusted so increasing the validity time doesn't weaken protection here.
Scensrio 2) would not be affected by a longer trust time as well.

With auto-extending TFA trust, scenarios 3) and 4) would allow an attacker to use the compromised device / stolen tokens "forever" if the account is used often enough and the victim doesn't change the password or revoke device trust.

For a normal user account a longer (or auto-extending or even infinite) device trust might well be sufficient enough when considering security vs. usability; accounts with higher risk (like Admins, Mods) might require more protection.

 

[digitalpoint]

I'd say it pretty much depends on your threat model.

2FA as currentlx implemented in XenForo can protect against

1. Unauthorized use of an account via login with a valid password on an untrusted device
2. Unauthorized use of an account via user remember key on an untrusted device
3. Unauthorized use of a logged in account on a trusted device after 30 days
4. Unauthorized use of tokens (user remember key and tfa trust key) after 30 days

IMHO scenario 1) is the most likely threat, for this case it doesn't matter how long a device is trusted so increasing the validity time doesn't weaken protection here.
Scensrio 2) would not be affected by a longer trust time as well.

With auto-extending TFA trust, scenarios 3) and 4) would allow an attacker to use the compromised device / stolen tokens "forever" if the account is used often enough and the victim doesn't change the password or revoke device trust.

For a normal user account a longer (or auto-extending or even infinite) device trust might well be sufficient enough when considering security vs. usability; accounts with higher risk (like Admins, Mods) might require more protection.

Agree with all this. To me TFA is a compromise between security and convenience... if you make it too inconvenient, users will simply not use it and you lose all security benefits of TFA A perfect example is myself... I ended up disabling TFA on my user account on this site because it's not worth the annoyance of needing to re-authenticate 4 devices every 30 days (computer, phone, iPad and now PWA). It's not like my XenForo account is keeping the secrets of the universe or anything.

And yes... you can still force certain users to require TFA (like admins or mods), as well as an option to force TFA re-authentication if you want to log into the admin area. There are certain types of sites I'd consider making TFA a requirement for "normal" users as well... a marketplace where users can deposit/withdraw real funds whenever they want for example (probably even force a re-auth of the TFA anytime they want to withdraw funds).

 

[Wildcat Media]

It's not like my XenForo account is keeping the secrets of the universe or anything.

That is my thought right there--this isn't a bank account we're protecting, it's just a discussion board. Staff, sure, really do need to have tighter security given what damage their account can cause if it's compromised. But, normal users? We did have that rash of attacks just a few months ago where valid user/password combinations were logging into dormant accounts, so that is a concern but again, outside of staff members, we would note the user's account, delete anything bad that was posted, and deactivate the account until the real owner could contact us to regain access.

I am really liking how Passkeys is working, though. It has a few usage quirks but otherwise it is hassle-free for me.

 

[digitalpoint]

That is my thought right there--this isn't a bank account we're protecting, it's just a discussion board. Staff, sure, really do need to have tighter security given what damage their account can cause if it's compromised. But, normal users? We did have that rash of attacks just a few months ago where valid user/password combinations were logging into dormant accounts, so that is a concern but again, outside of staff members, we would note the user's account, delete anything bad that was posted, and deactivate the account until the real owner could contact us to regain access.

Ya that's kind of the whole point of the suggestion... Make TFA less annoying and people will use it more. Sure, TFA that doesn't force you to re-auth every 30 days might be slightly less secure than than one that does... however now I use no TFA option here because it's simply too much of a hassle for me personally. So which option is the really the most effective at keeping my account secure now?

The "in-between" where you have to re-auth TFA, but only if you don't use the device for an extended period of time seems to be a nice sweet spot imo.

 

[Wildcat Media]

The "in-between" where you have to re-auth TFA, but only if you don't use the device for an extended period of time seems to be a nice sweet spot imo.

I like that idea. Regular users, accessing from the same device, don't need the 2FA nag every X number of days. And having that buffer of auto-extending the 2FA expiration is IMHO a better way to go about it.

I do agree on making it easier for members. As I've said before (and probably in this thread...memory ain't what it used to be), some of the forums I work on skew older, and the members are often not computer-savvy and 2FA can easily fail since they don't understand the complete process and easily get tripped up.

It's loosely related to this suggestion, but I like how the Cloudflare Zero Trust option in your CF add-on works for logins to the Admin and Install areas. Anyone attempting it has to get past the Cloudflare 2FA first. I admit it's a little annoying as it's back to the limited number of days before the 2FA expires and on top of it, if my forum 2FA has also expired, that's two steps to get past it. But unless I'm actively working on a site for days or weeks, it is not so bothersome.

 

[Mouth]

That is my thought right there--this isn't a bank account we're protecting, it's just a discussion board.

Agree, I'd never mandate 2FA for regular users even with 90 days re-auths. 2FA is just not worth the hassle and support for regular users, password complexity rules are fine.
If you feel 2FA is required/important, then 90 day re-auths would likely be too insecure for such people/accounts.

 

[Wildcat Media]

If you feel 2FA is required/important, then 90 day re-auths would likely be too insecure for such people/accounts.

I have noticed something on a couple of sites I visit (which is a setting @digitalpoint put into his add-on above). If I am a regular visitor, I never need to go through the 2FA, except maybe once a year. Yet if I don't visit for 60 days or whatever time limit they have set, I have to go through the process again. Asking regular members to revisit 2FA every 30 days is a bit much.

We did have a security scare at one of our forums a few years ago and a lot of users flocked to 2FA, but I wonder how many kept using it. I showed a couple of admin staffers where to disable 2FA for a particular member, as they do get locked out every so often.

I really prefer passkeys these days, but that is above most members' comprehension (mainly because they are not tech-savvy and again, skew older). And I've found it is tricky to use. When my computer asks me to insert a USB key, I have to click "Cancel" in a Chromium-based browser, which then takes me to where I can choose an alternate key (a computer/phone/tablet, etc.). It's nice to pick up a phone, verify myself with a fingerprint, and move straight into XenForo.

 

[digitalpoint]

Passkeys are the best option from a tech standpoint, but ya… it’s not quite there as far as convenience. The good news is that work is still being done for the convenience factor. Personally, I’ll be happy when passkey sync is available in Chrome for macOS (it’s on Chrome’s to-do list):

Passkey support on Android and Chrome | Authentication | Google Developers

developers.google.com

 

[Wildcat Media]

The good news is that work is still being done for the convenience factor.

It will get there one day. At the very least, Chromium browsers should offer a menu when choosing a passkey--choose from a USB key, or registered devices. Give it a year or two and I feel they will be easier to use.