TFA: Authorize via trusted device

K

Kirby

Well-known member
When using a currently untrusted device it's kinda tedious to enter the OTP (generated on another device or sent via email).

If the device used to generate OTPs is currently trusted, it might be a lot easier to authorize the "new" device directly from there.

This could work by offering a new method "Trusted Device".
If this method is selected, (all) trusted devices would show a message to authorize the "new" device with a click / tap (or reject / cancel).

If accepted, the "new" device would automatically finish the TFA process.
 
Upvote 6
In case it ever gets consideration, I've messed with a few options to do it so maybe I can save some time... For some browsers, you can handle it as a "Push notification TFA" (don't even need to load a browser to complete it). Unfortunately not all browsers support push notification action buttons yet.

Notification API: actions | Can I use... Support tables for HTML5, CSS3, etc

caniuse.com caniuse.com

...but for the browsers that do, you can just do a push notification that lets a user just click, "Approve" or "Deny" action buttons on the push notification.

1698768197469.png

The other issue that popped up is that if you want to do it "cleanly", you do it in conjunction with a WebSockets server so the instant someone clicks "approve" the browser that initiated the request is notified it was approved. The other option is to simply poll for results every few seconds).

Due to push notification action buttons not being supported in Firefox or Safari, I ended up doing it with Telegram (for a site that allows Telegram as a TFA). Telegram bot asks them if they initiated the login, they get a fancy little map showing where in the world it originated from and they just have to click "Yep, that's me".

When push action buttons are more widely supported, it's going to be a great TFA option imo.

Notification behavior | Articles | web.dev

web.dev web.dev
 
Last edited:
Even without push notification action I think that
  1. Launch the PWA
  2. Get confirmation dialog
  3. Tap OK
Is a lot easier than
  1. Launch OTP app
  2. Select target website
  3. Switch to other device
  4. Type in the code by reading from trusted device screen (or type from brain memory) ... and if unlucky start over because the code just changed (lol)
 
Ya 100% it is. Anything where you have to type something sucks for TFA. Being able to simlpy click when possible is much preferred, whether that be on a push notification action button, in the PWA app or other options as well (for example Passkeys or Telegram). Even a link in an email would be a better option for the email TFA (not that I would recommend ever using email as TFA).
 
Kirby said:
If the device used to generate OTPs is currently trusted, it might be a lot easier to authorize the "new" device directly from there.
Click to expand...
Like MS Authenticator when I am logging in to the office VPN with my work account. It just prompts for approval on my phone and I tap "Approve".

I like if that's what you're getting at.
 

Similar threads

alfaNova
  • Question Question
XF 1.5 trusted device expiring time
Replies
5
Views
366
TPerry
TPerry
imthebest
Fixed Device trusted even after disabling 2FA?
Replies
1
Views
967
Mike
Mike
ineedhelp
  • Question Question
Unable to upload via mobile device.
Replies
16
Views
1K
ineedhelp
ineedhelp
Top Bottom