...
Note that it is important to give the user at least one way to recover access without the OTP application. We can later extend this using for example SMS or Email as a backup to send the user otp codes to regain access. We would also need to setup a way for the user to contact us in case any attempt to regain access is failing so that we can potentially help them regain access (e.g. disable 2FA for them once their identify is verified).
API | Request | Response | Description | |||||
|---|---|---|---|---|---|---|---|---|
POST /2fa/enroll |
|
| Initiate the enrollment for the user to 2FA. The server generates a shared secret to use with an OTP application that is sent back to the user. The client can generate a QR code for convenience so that the user can scan the secret when adding it to the OTP application (e.g. google authenticator). The URL to embed in the QR code can follow this format: https://github.com/google/google-authenticator/wiki/Key-Uri-Format#issuer . For example: Note that the endpoint can be invoked even if the user has 2FA already enabled. The server will re-generate a secret that is not used until it is enabled, this allows the user to reset the 2FA without affecting existing 2FA. | |||||
POST /2fa |
|
| Enable 2FA for the user, uses the secret that was generated from the enroll API. Note that the server will use only one secret to verify TOTPs. This backend will replace other 2FA secrets already enabled if the request is successful. | |||||
POST /2fa/recovery_codes |
| Re-generates a set of recovery codes (we can provide at least 10 codes). The codes are a one-time use code that the user can use to recover access to their account. This endpoint will re-generate the codes on each call and associate them with the currently enabled 2FA. The generated codes are hashed and never retrieved again. Note that the user can end up using all of the recovery codes, in this case we should warn the user (maybe an email, or a notification in the browser?) that new codes should be re-generated. If 2FA is not enabled the API will return a 400. | ||||||
DELETE /2fa | Disable 2FA for the user. If 2FA is not enabled the API will return a 400. |
Proposed 2FA auth API Design
...
The 2fa_token and a totp code can be used to finalize authentication with 2fa:
API | Request | Response | Description | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
/2fa/token |
|
| Allows to obtain an access token in exchange from the The otp_type parameter can be one of [totp, recovery_codes], the value of the otp_code is treated as the generated totp or a recovery code according to the type. |
For example, first we send a login request:
...
| Code Block |
|---|
HTTP/2 200
{"access_token": "c3VwZXIgczNjcjN0IGFjY2VzcyB0b2tlbg=="} |
Open Questions
Should we implement some sort of step-up authentication? E.g. when the user tries to create a PAT, should we ask for the 2FA code? Or is it enough to validate that the user has 2FA enabled?
→ We decided to avoid adding additional checks, we need to inform the user when PAT are added/removed with an email.The design requires that the 2FA/token takes in input a 2FA_token. This token would help the backend to understand the context (e.g. login, scopes). This is needed because Synapse does not use sessions and we need to support google as a 3rd party. How long should this token be valid? Should it be a one-time use token?
→ The token should only be valid for a brief time, e.g. 5 minutes.I specifically didn’t add any validation for access tokens. This means that even after enrolling in 2FA existing tokens will be valid. Should we instead encode into the access tokens a claim such as “2fa_auth_time” that we can validate (for presence only) when the user has 2FA enabled? This would mean that any token after 2FA is enabled will be invalidated and the user needs to login again (potentially having to input the 2FA code twice).
→ This is still open for discussion: on one hand invalidating previous issued tokens is more secure, on the other hand it has the potential to break existing workflows and script and reducing usability →Jira Legacy server System JIRA serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-7637 Relevant to the previous point: using the refresh token grant we can technically keep refreshing tokens without user interaction (at least through an oauth client), should we limit the amount of time before the user needs to re-authenticate? E.g. Using the previous 2fa_auth_time we could check if 2fa is enabled and if it was performed in the last 30 days.
→ We decided that client token issued through client credentials are secure enough and there is no need for additional 2FA checkingShould we send an email when we enable/disable 2FA with a link to the documentation?
→ Open JIRA(s) related to this.Should we implement the standard to support for the acr_values in the /oauth2/token endpoint to allow oauth clients to enforce the use of 2FA? (See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest ) →
Jira Legacy server System JIRA serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-7629 What other ways should we support as a backup to regain access to the account (aside from recovery codes)? Email, sms, security keys? →
Jira Legacy server System JIRA serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-7633