Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78534

Authentication: MFA - Improve 2nd factor verify flow

    XMLWordPrintable

Details

    • MOODLE_403_STABLE
    • MOODLE_403_STABLE
    • master_MDL-78534
    • Hide

      The test process will allow you to test the UI changes introduced to MFA by this patch.

      Prerequisites

      To test this issue you'll need a Moodle that you have admin access to, can update code on and that is capable of sending emails.
      You will also need a webauthn compatible token such as a Yubikey, and you will need a mobile device with an authenticator app like "google authenticator"

      Having an admin account makes it easier to move through all of the test settings.
      If you don't have cli access to the instance make sure you have access to two separate admin accounts. As part of the testing will lock out a user.

      Setup

      More detailed setup instructions for MFA testing can be found in MDL-78509, the following setup are just the basics and there is some assumed knowledge.

      1. Apply the patch and upgrade
      2. Log into the site as an admin
      3. Navigate to: Site administration > plugins > administration tools > Multi-factor authentication
      4. In the factor table enable the following factors in this order (this will help with testing), all factor defaults can be left as they are:
        1. E-mail factor
        2. Authenticator app
        3. Security key
      5. Scroll down to "General MFA Settings"
      6. Enable the "MFA plugin enabled" Checkbox
      7. Set the "Lock out threshold" to 3
      8. In the "Urls which should not redirect the MFA check" text area enter "/user/contactsitesupport.php"
      9. Click save changes
      10. Navigate to: Site administration > Server > Support contact
      11. Set a "support name"
      12. Set a "support email" address
      13. Ensure "contact site support link" is empty
      14. Set the "Support availability" to "Limited to authenticated users"
      15. Click save changes
      16. While still logged in as an admin, click on the users profile picture from the top nav bar.
      17. Click "preferences"
      18. Under "User account" click on "Multi-factor authentication"
      19. Click "Setup App" and follow the instructions to set up your TOTP authenticator app factor
      20. Click "Setup authenticator" to set up your authenticator key, yubikey etc.
      21. Log out the administrator user

      First set of tests

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page check that the obfuscated email address has the correct start and end character and domain as the email address for your admin account
      3. Enter the code from the email that is sent to that address
      4. Confirm that upon entering the last digit of the emailed code correctly, the form auto submits.
      5. Confirm you are logged in correctly
      6. Log out

       

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page click "cancel login"
      3. Confirm you are returned to the manual login page without errors shown

       

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page click the contact site support link at the bottom of the page
      3. Confirm you are sent to the site contact form in Moodle
      4. Click Cancel
      5. Confirm you are returned to the 2 step verification page.

       

      1. On the 2-step verification page, under "Try another way to verify" click "Use authenticator application"
      2. Confirm the page reloads and that the verification option is now "Verify it's you by mobile app"
      3. Enter the code from your configured mobile app authenticator
      4. Confirm that upon entering the last digit of the code correctly, the form auto submits.
      5. Confirm you are logged in correctly
      6. Log out

       

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page, under "Try another way to verify" click "Use authenticator token"
      3. Confirm the page reloads and that the verification option is now "Verify it's you by authenticator token"
      4. Click the continue button
      5. Confirm you are prompted to use your security key
      6. Upon touching your token, confirm you are logged in correctly.
      7. Log out
      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page check that the obfuscated email address has the correct start and end character and domain as the email address for your admin account
      3. Enter an an incorrect code
      4. Confirm you are not logged in and the following form error is displayed "Wrong code. Try again. You have 2 attempts left. "
      5. Enter in the wrong code 2 more times
      6. Confirm that the form is now locked and you cannot enter/change the code, and the continue button is disabled
      7. Under "Try another way to verify" click "Use authenticator application"
      8. Confirm the page reloads and that the verification option is now "Verify it's you by mobile app"
      9. Confirm under  "Try another way to verify" that the option "Have a code emailed to you" is disabled and has the text "(Unavailable) appended to it
      10. Enter an an incorrect code
      11. Confirm you are not logged in and the following form error is displayed "Wrong code. Try again. You have 2 attempts left. "
      12. Enter in the wrong code 2 more times
      13. Confirm that the form is now locked and you cannot enter/change the code, and the continue button is disabled
      14. Under "Try another way to verify" click "Use authenticator token"
      15. Confirm the page reloads and that the verification option is now "Verify it's you by authenticator token"
      16. Click the continue button
      17. Interact with your security token
      18. Confirm you're logged in.

      Settings update

      1. While logged in as an admin
      2. Navigate to: Site administration > plugins > administration tools > Multi-factor authentication
      3. Click the checkbox for "Use guidance page" to enable it
      4. Add some test content to the "Guidance page content" text area. For example: "This is some test guidance page content"
      5. Click save changes
      6. Log out as admin

      Second set of tests

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. On the 2-step verification page click the "MFA user guide" link at the bottom of the page
      3. Confirm you can see the test guidance page content you entered previously
      4. Click "Home" from the top navigation bar.
      5. Confirm you are returned to the 2 step verification page.
      6. Log in using one of the enabled factors

      Settings update

      1. While logged in as an admin
      2. Navigate to: Site administration > plugins > administration tools > Multi-factor authentication
      3. Disable the "email" and "security key factors"
      4. Log out as admin

      Third set of tests

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. Confirm that the only option to complete is "Verify it's you by mobile app
      3. Enter the wrong code 3 times
      4. Confirm that you are presented with the "Unable to authenticate" error.
      5. Click the "log out" button

       

      1. Enter the username and password and click login for the admin user you set up the factors for
      2. Confirm that you are presented with the "Unable to authenticate" error.
      3. Click the "log out" button
      4. (you will now need to reset the factor for that user OR disable the MFA plugin)

       

      NOTE: If you mess things up and locked yourself out, you can disable the whole MFA plugin from the CLI:

      php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0

       

      Show
      The test process will allow you to test the UI changes introduced to MFA by this patch. Prerequisites To test this issue you'll need a Moodle that you have admin access to, can update code on and that is capable of sending emails. You will also need a webauthn compatible token such as a Yubikey, and you will need a mobile device with an authenticator app like "google authenticator" Having an admin account makes it easier to move through all of the test settings. If you don't have cli access to the instance make sure you have access to two separate admin accounts. As part of the testing will lock out a user. Setup More detailed setup instructions for MFA testing can be found in MDL-78509 , the following setup are just the basics and there is some assumed knowledge. Apply the patch and upgrade Log into the site as an admin Navigate to: Site administration > plugins > administration tools > Multi-factor authentication In the factor table enable the following factors in this order (this will help with testing), all factor defaults can be left as they are: E-mail factor Authenticator app Security key Scroll down to "General MFA Settings" Enable the "MFA plugin enabled" Checkbox Set the "Lock out threshold" to 3 In the "Urls which should not redirect the MFA check" text area enter "/user/contactsitesupport.php" Click save changes Navigate to: Site administration > Server > Support contact Set a "support name" Set a "support email" address Ensure "contact site support link" is empty Set the "Support availability" to "Limited to authenticated users" Click save changes While still logged in as an admin, click on the users profile picture from the top nav bar. Click "preferences" Under "User account" click on "Multi-factor authentication" Click "Setup App" and follow the instructions to set up your TOTP authenticator app factor Click "Setup authenticator" to set up your authenticator key, yubikey etc. Log out the administrator user First set of tests Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page check that the obfuscated email address has the correct start and end character and domain as the email address for your admin account Enter the code from the email that is sent to that address Confirm that upon entering the last digit of the emailed code correctly, the form auto submits. Confirm you are logged in correctly Log out   Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page click "cancel login" Confirm you are returned to the manual login page without errors shown   Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page click the contact site support link at the bottom of the page Confirm you are sent to the site contact form in Moodle Click Cancel Confirm you are returned to the 2 step verification page.   On the 2-step verification page, under "Try another way to verify" click "Use authenticator application" Confirm the page reloads and that the verification option is now "Verify it's you by mobile app" Enter the code from your configured mobile app authenticator Confirm that upon entering the last digit of the code correctly, the form auto submits. Confirm you are logged in correctly Log out   Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page, under "Try another way to verify" click "Use authenticator token" Confirm the page reloads and that the verification option is now "Verify it's you by authenticator token" Click the continue button Confirm you are prompted to use your security key Upon touching your token, confirm you are logged in correctly. Log out Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page check that the obfuscated email address has the correct start and end character and domain as the email address for your admin account Enter an an incorrect code Confirm you are not logged in and the following form error is displayed "Wrong code. Try again. You have 2 attempts left. " Enter in the wrong code 2 more times Confirm that the form is now locked and you cannot enter/change the code, and the continue button is disabled Under "Try another way to verify" click "Use authenticator application" Confirm the page reloads and that the verification option is now "Verify it's you by mobile app" Confirm under  "Try another way to verify" that the option "Have a code emailed to you" is disabled and has the text "(Unavailable) appended to it Enter an an incorrect code Confirm you are not logged in and the following form error is displayed "Wrong code. Try again. You have 2 attempts left. " Enter in the wrong code 2 more times Confirm that the form is now locked and you cannot enter/change the code, and the continue button is disabled Under "Try another way to verify" click "Use authenticator token" Confirm the page reloads and that the verification option is now "Verify it's you by authenticator token" Click the continue button Interact with your security token Confirm you're logged in. Settings update While logged in as an admin Navigate to: Site administration > plugins > administration tools > Multi-factor authentication Click the checkbox for "Use guidance page" to enable it Add some test content to the "Guidance page content" text area. For example: "This is some test guidance page content" Click save changes Log out as admin Second set of tests Enter the username and password and click login for the admin user you set up the factors for On the 2-step verification page click the "MFA user guide" link at the bottom of the page Confirm you can see the test guidance page content you entered previously Click "Home" from the top navigation bar. Confirm you are returned to the 2 step verification page. Log in using one of the enabled factors Settings update While logged in as an admin Navigate to: Site administration > plugins > administration tools > Multi-factor authentication Disable the "email" and "security key factors" Log out as admin Third set of tests Enter the username and password and click login for the admin user you set up the factors for Confirm that the only option to complete is "Verify it's you by mobile app Enter the wrong code 3 times Confirm that you are presented with the "Unable to authenticate" error. Click the "log out" button   Enter the username and password and click login for the admin user you set up the factors for Confirm that you are presented with the "Unable to authenticate" error. Click the "log out" button (you will now need to reset the factor for that user OR disable the MFA plugin)   NOTE : If you mess things up and locked yourself out, you can disable the whole MFA plugin from the CLI : php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0  
    • 2
    • Team Hedgehog 2023 Sprint 3.1, Team Hedgehog 2023 Sprint 3.2

    Description

      There is room to improve the current UX and UI of how the second factor is presented to users once they have logged in. Aligning it more with "standard" methods used by other web applications that support MFA/2FA. This issue will implement a first round of improvements to this workflow.

      Next step is to have UX review for the new UI screens.

      The mock ups:

      • MFA_options_auth_code.png
      • MFA_options_auth_token.png
      • MFA_options_email.png

      These mockups show a new UI that is presented to the user after they have logged in (entered username and password etc.)
      The "verify another way" section shows other available (configured) MFA methods for that user.

      What if I have LOTS of configured factors?

      As shown in the Google2.png there can be many configured mfa options for a user, so this needs to be considered.  However, the way the existing implementation works (even without these UI changes) is that only ONE input option is shown per factor type. This means if you have 3 authentication apps on your mobile configured in your Moodle user preferences. Only one code input form field will be displayed in the UI. These needs to be verified for webauthn methods, it's expected these operate the same. However IF webauthn creates an option per hardware device, an option would be to show up to 3 optional methods with a link to "show more options", if a user has more than 3 auth methods available. This would then expand the list dynamically and not reload the page.  Most users will only have the minimum required by their orgs.

      The background of this page, should have the same background image (if set) as the manual authentication page does.

      The "buttons" for the other available authentication types should have their text as links to make it more explicit to what they do and to help with accessibility.

       

      Attachments

        1. github_MFA.png
          github_MFA.png
          39 kB
        2. Google1.png
          Google1.png
          126 kB
        3. Google2.png
          Google2.png
          156 kB
        4. AWS2.png
          AWS2.png
          58 kB
        5. AWS1.png
          AWS1.png
          72 kB
        6. MFA_options_auth_code.png
          MFA_options_auth_code.png
          44 kB
        7. MFA_options_auth_token.png
          MFA_options_auth_token.png
          41 kB
        8. MFA_options_email.png
          MFA_options_email.png
          44 kB
        9. Before-Code-Entered-MFA-FIGMA-PROTO.png
          Before-Code-Entered-MFA-FIGMA-PROTO.png
          31 kB
        10. Email-MFA-FIGMA-PROTO.png
          Email-MFA-FIGMA-PROTO.png
          33 kB
        11. MobileAPP-MFA-FIGMA-PROTO.png
          MobileAPP-MFA-FIGMA-PROTO.png
          31 kB
        12. WrongCode-MFA-FIGMA-PROTO.png
          WrongCode-MFA-FIGMA-PROTO.png
          38 kB
        13. Email-Grey-Unclickable-MAXFAIL-MFA-FIGMA-PROTO.png
          Email-Grey-Unclickable-MAXFAIL-MFA-FIGMA-PROTO.png
          28 kB
        14. MaxFailAttempts-MFA-FIGMA-PROTO.png
          MaxFailAttempts-MFA-FIGMA-PROTO.png
          42 kB
        15. MDL-78534_allFactorsLocked.png
          MDL-78534_allFactorsLocked.png
          110 kB
        16. MDL-78534_Userguide.png
          MDL-78534_Userguide.png
          117 kB
        17. MDL-78534_SecondSetOfTests.png
          MDL-78534_SecondSetOfTests.png
          48 kB
        18. MDL-78534_securityKeyOK.png
          MDL-78534_securityKeyOK.png
          101 kB
        19. MDL-78534_Test1Email.png
          MDL-78534_Test1Email.png
          97 kB
        20. MDL-78534_wrongcCode.png
          MDL-78534_wrongcCode.png
          104 kB
        21. MDL-78534_wrongcCodeLocked.png
          MDL-78534_wrongcCodeLocked.png
          65 kB
        22. MDL-78534_guide.png
          MDL-78534_guide.png
          45 kB
        23. MDL-78534-third set of tests.png
          MDL-78534-third set of tests.png
          711 kB
        24. MDL-78534-second set of tests.png
          MDL-78534-second set of tests.png
          371 kB
        25. MDL-78534 -first set of tests.png
          MDL-78534 -first set of tests.png
          1.49 MB
        26. token_register.png
          token_register.png
          183 kB
        27. first_set_1.png
          first_set_1.png
          180 kB
        28. first_set_2.png
          first_set_2.png
          359 kB
        29. second_set.png
          second_set.png
          197 kB
        30. image-2023-09-14-16-05-23-946.png
          image-2023-09-14-16-05-23-946.png
          147 kB

        Issue Links

          Activity

            People

              matt.porritt@moodle.com Matt Porritt
              matt.porritt@moodle.com Matt Porritt
              Raquel Ortega Raquel Ortega
              Ilya Tregubov Ilya Tregubov
              Ron Carl Alfon Yu Ron Carl Alfon Yu
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week, 1 day, 3 hours, 37 minutes
                  1w 1d 3h 37m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.