Confirmation forms should not require passwords

Created on 15 December 2017, about 7 years ago
Updated 30 July 2023, over 1 year ago

When I enable or disable TFA for an account, the first step is to re-authenticate on a confirmation page.

So far, so good.

The only method for re-authenticating is to supply my password. Not so good.

As a developer, I often log in using a one-time login link (generated with drush). I think that #2856520: tfa and tfa basic issues mentions that some systems use LDAP for authentication, so no one has a password.

Wouldn't it make sense to let the site admin choose one or more authentication methods for these confirmation forms? This module should consume itself!

We should implement it in a way that makes it easy for other modules to use the same authentication options. Maybe an authentication service?

Feature request
Status

Needs review

Version

2.0

Component

Code

Created by

🇺🇸United States benjifisher Boston area

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States cmlara

    It looks like to me the patches may have deviated from the original issue and are not on topic, as such I am marking them hidden in an attempt to re-focus this issue.

    While the patches do not appear to be very relevant in case they inspire work going forward I will note that personally I am not supportive of the hard coded special treatment for UID 1 nor the "bypass password confirm" as they both reduce security for a task that should require confirmation.

    I think that either password or any enabled plugin should be good enough for these confirmation pages. Maybe allow the site administrator to choose: that would cover the case where password authentication is not a valid option.

    This is probably the solution we need for now. An enabled plugin is actually probably better than password as it prevents a person who obtains the single factor from making changes.

    I imagine the edge case is the scenario of an external user that has not setup TFA and doesn't have a local password. For this aspect, what if we switch to using the user.auth service instead of the password service? That way LDAP (and similar) could decorate the service and provide authentication that TFA could use. Quick glance it doesn't appear the LDAP module currently does decorate the user.auth service however if we convert TFA a followup Feature Request could than be sent to them to do so.

    That probably doesn't solve SAML because of its fully off host nature probably would require us working in combination with the SAML modules to provide some standardization to the process.

  • Status changed to Needs work over 1 year ago
  • 🇺🇸United States cmlara

    Intended to set Needs Work as part of last post.

  • 🇺🇸United States jeremyr

    I agree that it would be more desirable to prompt a re-authentication with which ever auth plugin they used to sign in with rather than to provide a "bypass password confirm" permission.

    In the scenario described in the original post, the person logging in as User 1 will still not be able to perform this action since they probably don't even know what random string was generated for User 1's password in the first place. Perhaps the solution for that level user is a drush command?

    FWIW: The systems where I'm running into this issue I am using OpenID Connect connecting to an oAuth Server, not LDAP.

  • 🇺🇸United States cmlara

    In the scenario described in the original post, the person logging in as User 1 will still not be able to perform this action

    Hmm, fair point, and that is a tricky one as well similar to not having any way to internally authenticate them.

    Perhaps the solution for that level user is a drush command

    This actually may be the best method, we already allow admins with the appropriate permissions to provision a token for a user, adding a Drush command that allows provisioning from the CLI seems reasonable in that regard and would help us solve the issues.

    Combining converting the forms to use a token when one is set (otherwise use password) it seems like this would be a very reasonable change and might actually increase overall account security at the same time.

    I would suggest we create a seperate issue for the Drush command and leave this one just to change the form so we can discuss and commit each independently.

  • 🇮🇳India sksanjoo2

    Actually, there are two scenarios where the password form is triggered.
    1. To set up TFA at user//security/tfa/ga_login_totp
    2. To disable TFA at user/

    This patch disables the password form for uid 1 on both the above-said scenario. This patch is created for 1.8 version.

  • 🇺🇸United States cmlara

    Adjusting tags as this needs updates per #14 and #17

    Not treating UID:1 as special becomes even more relevant now that 📌 Add a container parameter that can remove the special behavior of UID#1 Fixed is into core.

    Switching the form to use the Core authentication service and offering an OTP when one is configured seems like our best solution.

    SSO users we can't really solve via the UI and fallback to a drush command seems best.

    Provide drush command to reset a user's TFA data Fixed was already added as one example of administrative commands in Drush.

    As an aside, D.O. has migrated away from the patch workflow. More details on contributing to issues on D.O. using MR's may be found at https://www.drupal.org/docs/develop/git/using-gitlab-to-contribute-to-dr...

  • 🇺🇸United States cmlara

    Hiding repeat patch in #22 to avoid future confusion.

Production build 0.71.5 2024