Requiring current authentication before adding new MFA keys #681
Comments
Possible, yes of course, but it would not really boost the security that much, I can only imagine one very specific case.
Tbh, if this is the case, you got 99 problems, but an additional MFA key ain't one. It's impossible to protect everything if someone is so stupid (or lazy) that a machine is left logged-in unattended. In fact, you should not even use that machine anymore at all after something like that, because if an attacker would find if, the machine is most probably rooted, is running hidden reverse shells, has a keylogger, or other additional backdoors. in such a case, someone would not even add an MFA key in plain sight, which is obvious, but would stay hidden and benefit from the access for probably a very long time. This is the same as someone not expecting thiefs stealing all their stuff, while they go into holiday while leaving their houses front door wide open, or your car to not get stolen, while you leave they keys in, engine running, but you went away for shopping. If such a machine is unattended, the attacker has access to everything anyway already and can stay hidden. He would also most probably have access to emails used for password resets which make additional password authentication useless, he has access to the possibly existing password manager, which makes software passkeys worthless, and a person leaving everything unprotected would also not take care about taking a hardware security key out of the machine. Someone doing that is probably not even using a password manager and even less likely a hardware passkey. The only situation where you could be prevented from account takeover is if the user uses a proper hardware passkey with active PIN / biometric verification and you request re-auth each time (which kills UX quite a bit). But if you have a person caring about security that much, a machine would not be left open and unattended, since it take 1 second a lock a machine and only a few more to unlock it. The best thing you can do is to train your employees properly and have short lived sessions. You could reduce the even already pretty short session lifetime even further, if you like. A login with a passkey usually takes less than 3 seconds anyway. I am not saying I won't add it. In fact, it makes sense to some degree, but it does not bring that huge jump in security you would like, only a very tiny bit. I will probably do it in a way that you can change things for like 3 minutes after a fresh login (or re-auth) to not kill the UX completely. Regarding the E-Mail notification, I thought about adding the typical "new login from unknown host" E-Mail at some point, but this is quite a bit farther in the future. I do have a lot of other things on the TODO right now. However, a PR is always welcome. |
Would it be possible to require re-authentication before adding new MFA keys?
Currently, when a browser session is active, no further authentication is required for setting up another MFA key.
An attacker that has access to an active session (for example on an unlocked computer) can add his own MFA key and gain persistent access to that account.
Furthermore, the user receives no notification that a new MFA key has been added which makes this persistence more likely to go unnoticed.
The text was updated successfully, but these errors were encountered: