Send notification when there are two-step verification or connected account changes

[digitalpoint]

It would be nice if XenForo has better handling of account security when something important on the account changes. For example, say an account was hijacked and the email address was changed.

First, it would just be nice is if the old email address was notified of the change. Even better would be if that email contained a link that allowed the recipient to undo the change (without authentication in case password was also changed). Link could be valid for a certain period of time (say 7 days).

Notification of changes of any data that affects a user's ability to authenticate would be nice... email address change, password change, two-step auth changes, connected account addition/removal, etc.

 

[Chris D]

First, it would just be nice is if the old email address was notified of the change.

This already happens.

Even better would be if that email contained a link that allowed the recipient to undo the change (without authentication in case password was also changed). Link could be valid for a certain period of time (say 7 days).

We don't do this, but I don't think it's necessary. We include the IP address of the user who changed it and log the IP address under xf_ip so it should be reasonably simple for an admin to verify an unauthorised change.

Notification of changes of any data that affects a user's ability to authenticate would be nice... email address change, password change

Password changes trigger a notification too.

So there's a few things here that are maybe reasonable but for the most part we either already do them or they don't really feel compelling.

Notification of two step verification and connected account changes might be the most significant so renamed the suggestion to account for that.

 

[digitalpoint]

This already happens.

Oh good, how did I not know this? lol

We don't do this, but I don't think it's necessary. We include the IP address of the user who changed it and log the IP address under xf_ip so it should be reasonably simple for an admin to verify an unauthorised change.

Ya, although talking about larger sites (million or so users). Allowing them to sort out the issue themselves is preferable in my eyes vs. just having the info needed for an admin to sort it out for them. The more users you have, the less it scales. Totally different scale of course, but imagine if Facebook or Google account hijacks required Facebook/Google admins to get involved. Would need a giant building just to house all these full time admins.

 

[Wildcat Media]

Notification of two step verification and connected account changes might be the most significant so renamed the suggestion to account for that.

I know it's annoying when one of my banks will send a notice any time I log in on an "unrecognized" device, but there is always that one time someone gets their account hacked into, that they'll wish they had been notified. Any helpful notification is always a plus.

 

[digitalpoint]

In my dream world, it would be nice if it was abstracted out to a single function across the board. For example, instead of having emails that are more or less the same for each type, just have a phrase along the lines of x_changed_body_html. And pass in x as a variable.

Right now, there's email_changed_body_html and password_changed_body_html, if we were to add a notice for two-step and connected accounts, that's additional replication. And I was also thinking about some custom things I have that are going to require it as well (not my case, but as an example, what if you had bank account info, credit cards, cryptocurrency deposit addresses, etc.).

Would love a method that allowed you to pass in the variables for the alert emails, have an optional parameter that was something like "allow undo". With that undo link included in the notification email.

The current situation where someone is alerted that their email was changed, but they can't do anything about it other that figure out how to contact an admin and sit and wait until a human gets back to them while the hijacked account could just be doing whatever in the meantime is less than ideal. Ends up being unnecessary/more work for admins investigating and restoring the account as well as possibly needing to go and do spam reversals (now we have to selectively delete conversations/posts from the point the hijack happened without destroying the real user's content via spam cleaner). The sooner we can put a stop to the hijack, the better. A simple "undo change" link the rightful owner could click seems like the quickest/simplest way to me.

 

[Wildcat Media]

The current situation where someone is alerted that their email was changed, but they can't do anything about it other that figure out how to contact an admin and sit and wait until a human gets back to them while the hijacked account could just be doing whatever in the meantime is less than ideal.

That would be my worry also. I do use Dragonbytes Security on one of our big forums and it can detect some illicit activity on its own (especially with staff accounts), but only an account owner knows for sure what is happening with their account. We've had rare instances over the years where a spouse or adult child gets into the member's account and posts under it--it's often legit, but the capacity is there for someone to really make a mess of things or worse, take over the account by changing the password and email. The longer a problem sits, the worse it can get.

The sooner we can put a stop to the hijack, the better. A simple "undo change" link the rightful owner could click seems like the quickest/simplest way to me.

I like that idea.

That leads to another idea I had--soft-delete user accounts at first, then have them purged after 30 or 60 days (so GDPR doesn't have a hissy fit). That would help someone recover from a hacking incident (or a "fat thumbs" incident) where an account is deleted that shouldn't have been. Something only a Super Admin could recover, though.

 

[digitalpoint]

So this came up in my brain again today (working on some new two-step options)...

Kind of along the same times, it would be nice if someone attempts to remove an enabled two-step option (or connected account) is they first need to verify they have access to one of their two-step methods.

In theory, let's say someone gets physical access to my computer where I'm logged in to the site already... In my case, my password is stored in my password manager as well (which defeats the purpose of requiring just the password to access the two-step options). I have 4 different options for two-step verification:



So now, someone can just remove the Security keys/Passkeys, PGP, Authenticator and Telegram options without an email notice or requiring them to verify they have access to one of those currently.

Seems crazy to me.

 

[⭐ Alex ⭐]

I know it's annoying when one of my banks will send a notice any time I log in on an "unrecognized" device, but there is always that one time someone gets their account hacked into, that they'll wish they had been notified. Any helpful notification is always a plus.

I guess netflix thinks it's a bank.

In my case, my password is stored in my password manager as well

So now, someone can just remove the Security keys/Passkeys, PGP, Authenticator and Telegram options without an email notice or requiring them to verify they have access to one of those currently.

You already authenticated with one of them to get into your account. Someone accessing your computer is not XF's business and that's a security problem you need to thwart on your premises by locking your room and windows and using a 2fa protected lock screen when you leave your computer.

 

[digitalpoint]

Agreed. I’m not worried about me, I’m worried about idiot users losing access to their account.

Also, by your logic, there is no need for two-step verification because someone should keep their stuff secure.

 

[⭐ Alex ⭐]

Agreed. I’m not worried about me, I’m worried about idiot users losing access to their account.

Also, by your logic, there is no need for two-step verification because someone should keep their stuff secure.

two step verification mostly protects against remote attacks to your account, as well as someone guessing your passcode.

 

[digitalpoint]

two step verification mostly protects against remote attacks to your account, as well as someone guessing your passcode.

Right, however I was just pointing out that by your logic as long as you use secure passcodes, there's no need for two-step authentication. Which to some degree I agree with.

The issue here is that it doesn't matter how secure my account is. When you have a million+ users that don't know how to keep their account secure, it becomes an issue/workload for you. It's not realistic to train your users on how to keep their account secure... why they shouldn't stay logged into a computer that isn't theirs or why they should lock their computer screen before they walk away from it, etc.

Again, the issue is not an issue for someone who understand how to keep their account secure, the issue is for the billions of people who do not understand or adhere to the best account security principles. Why is the #1 password used today simply 123456? Because humans are generally dumb when it comes to security.

 

[Mendalla]

Again, the issue is not an issue for someone who understand how to keep their account secure, the issue is for the billions of people who do not understand or adhere to the best account security principles.

This. I work in IT and we have a raft of Windows group policies to enforce things like screens locking after a period of inactivity, minimum password standards, etc. just because we know we can't count on users to do it. And, for some things, we do require MFA now (e.g. logging in to our VPN). It will be interesting to see how MS's "passwordless security" ends up working out. I haven't really seen it in action yet, just read about it and still not sure if it's a solution or just another problem (or somewhere in between as tends to be the case with MS).

 

[Neilski]

So now, someone can just remove the Security keys/Passkeys, PGP, Authenticator and Telegram options without an email notice or requiring them to verify they have access to one of those currently.

The way I see it, the number of XF users that are protected very effectively by just switching on 2FA is pretty large.
The number of those people who will ever be pwned by someone accessing their forum account while they are logged on but AFK seems likely to be tiny. Such users will for sure require admin assistance.
On the other hand, the number of users who will attempt to switch off 2FA before the browser token expires, because they have lost their authenticator, is also likely to be tiny, but maybe larger than the tiny number above These users would require admin assistance if the system didn't permit 2FA deactivation without 2FA entry.
So, which subset of users would require less attention?

A happy medium could indeed be a simple email notification that 2FA settings were changed (I had originally believed that this already happened!). I'd definitely vote for that

If someone claims to have lost their 2FA capability and hits the button to switch it off, it might make sense for the system to let them confirm their identity by email instead of requiring one of the enabled methods (this is one interpretation of your words but I don't think you meant them that way), but this feels kinda wrong given that XF recommends against email as a 2FA method. (Also, I note that you aren't using it yourself.)

 

[digitalpoint]

On the other hand, the number of users who will attempt to switch off 2FA before the browser token expires, because they have lost their authenticator, is also likely to be tiny, but maybe larger than the tiny number above These users would require admin assistance if the system didn't permit 2FA deactivation without 2FA entry.

Agreed. Along the same lines, another thing that would be nice is if the Require two-step verification user group permission wasn't a Yes/No option, rather an integer as Minimum required two-step verification methods. Then it being set to 0 or 1 would make it function the same as it does now, but you could also increase that number to (hopefully) help with support issues where people lost their 1 two-step method.

Basically it's become an annoying unnecessary workload dealing with people who lost their two-step authentication or had their account hacked/phished. Google buy digitalpoint account, and you can see that somehow there's a market for people acquiring/buying/selling accounts on my site.

I only expect that to become a much bigger issue in the future because we are looking to allow users to deposit real cryptocurrency into their account to make purchases. So a lost/phished account also has the potential for the attacker to withdraw the user's unused crypto. Which is a big part of the reason I've been needing to really think out how to keep users protected from their own stupidity. We already have an issue where people are selling accounts for real money... if a stolen account now has real crypto on it they can withdraw, it's going to be a much bigger target than it already is.