Two factor authentication - a couple of questions

Posted on
Thu Jul 14, 2016 12:56 pm
Chameleon offline
Posts: 611
Joined: Oct 04, 2014

Two factor authentication - a couple of questions

One of the features that's been requested is the ability to use two factor authentication (2FA)

From what I can understand this was introduced in IOS 9/El Capitan as more secure login technique and I want to check to see if users who want this feature understand and can help me define the use case.

As I understand it:

    2FA is an optional feature that a user can switch on or off

    It depends on creating 'trusted devices' (e.g. personal iPhone or iPad)

    When a user signs into a 'new' device a verification code can be requested which is sent to a 'trusted' device selected by the user

    The user then signs into the 'new' device with a password and the 6 digit verification code

    The login is then authenticated and the verification isn't required again for approximately 2 months

If 2FA is used on an Apple Account then the user will have to 'trust' the browser on the device that the Indigo Server is running on

For me that indicates the following use case:

Part 1 - Initial setup

    If a 2FA requirement is detected then the 'browser' that iFindStuff uses needs to be verified. The plugin would have to recognise that 2FA is turned on and that a user hasn't authorised the plugin to login (e.g. it's not a trusted login). The plugin uses a faux browser which isn't the one that you'd normally use on your system.

    A user needs to be able to select 'trusted' device for the verification code

    The code is sent and then the user enters it to trust the browser for future logins

Once done - the user is only required to use the normal Apple Id and Password for future logins until they fully sign out, their password changes or after a set period from Apple (currently 2 months)

Part 2 - iFindStuff

Once the browser is 'trusted' iFindStuff can log into the Apple Id in the normal way unless there is a requirement to verify again at which point the 'Part 1' process will need to be re run and the plugin disabled until this is competed

From a user perspective that would mean a couple of extra steps to get iFindStuff working. From a development perspective I think that we would need a separate process to manage Part 1 correctly. There would also be a need to advise the user when the verification is required again.

So I'm proposing the following approach:

    On startup iFindStuff will check to see if 2FA is required for each Apple Account Device created

    If required - a separate dialog box will open which will a) show all trusted devices and b) ask the user to enter their Apple Id, Password, c) ask the user to select a device to be used (e.g. sent the 6 digit code)

    When the code and device are entered the plugin will verify the device and the faux browser it uses. It will record the verification approval and the date/time that it was accepted

    In use - iFindStuff will check to ensure that the account access is 'trusted' and then log in in the normal way if it is

    If the 2FA fails iFindStuff will be disabled and the user will be sent an email/advised in the Indigo Log on a daily basis that iFindStuff is non-operational until the verification process is completed again

    If the user changes their login process (e.g. 1FA) then iFindStuff will revert to the current process of using the Apple Id and Password only


My sense check here is that iFindStuff will be automatically disabled for any account that hasn't got a 'trusted' status for iFindStuff. 1FA accounts in the same Indigo set up would carry on working as usual but this is likely to be an unusual scenario and I'd probably give the user the option to disable all accounts in the Indigo set up if 2FA failed for one of them.

Current prototyping

I've looked into how this can be achieved and I'm fairly certain that I can do all of the above. I'll need to test that it works correctly but the actual development doesn't look that complicated (assuming that Apple haven't introduced any curve balls such as on-going security messages).

So far I've tested:

    Identification that an account uses 2FA

    Listing 'trusted devices' on an account

    Sending a verification request and getting a code on my iPhone

    Entering the code into a dialog box and verifying iFindStuff as a trusted app

    On-going iFindStuff access

I can do all of these from a python command line as I've proved today but I've got to test that I can either do it inside a plugin or, as I've done before, create an external programme that the plugin accesses to complete the verification process. That's the piece I've got to work on now.

It would be good if someone could check my understanding of the 2FA process above and confirm that they're happy with the two stage iFindStuff process for users. If users are using the current 1FA login process there will be no change how they see the plugin working.

Thanks

Mike

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 6 guests