Page MenuHomePhabricator

Add a pre-enroll step for MFA, primarily as a CSRF gate
ClosedPublic

Authored by epriestley on Jan 23 2019, 5:50 PM.
Tags
None
Referenced Files
F18371656: D20021.diff
Thu, Aug 28, 5:30 AM
F18107242: D20021.diff
Sun, Aug 10, 11:47 PM
F17827384: D20021.id.diff
Jul 26 2025, 8:12 AM
F17799495: D20021.diff
Jul 25 2025, 5:06 AM
F17765470: D20021.diff
Jul 23 2025, 1:57 AM
Unknown Object (File)
Jun 30 2025, 2:01 AM
Unknown Object (File)
Jun 29 2025, 5:20 AM
Unknown Object (File)
Jun 28 2025, 6:05 PM
Subscribers
None

Details

Summary

Depends on D20020. Ref T13222. This puts another step in the MFA enrollment flow: pick a provider; read text and click "Continue"; actually enroll.

This is primarily to stop CSRF attacks, since otherwise an attacker can put <img src="phabricator.com/auth/settings/enroll/?providerPHID=xyz" /> on cute-cat-pix.com and get you to send yourself some SMS enrollment text messages, which would be mildly annoying.

We could skip this step if we already have a valid CSRF token (and we often will), but I think there's some value in doing it anyway. In particular:

  • For SMS/Duo, it seems nice to have an explicit "we're about to hit your phone" button.
  • We could let installs customize this text and give users a smoother onboard.
  • It allows the relatively wordy enroll form to be a little less wordy.
  • For tokens which can expire (SMS, Duo) it might save you from answering too slowly if you have to go dig your phone out of your bag downstairs or something.
Test Plan

Added factors, read text. Tried to CSRF the endpoint, got a dialog instead of a live challenge generation.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable