Page MenuHomePhabricator

Add "High Security" mode to support multi-factor auth

Authored by epriestley on Apr 24 2014, 1:55 AM.



Ref T4398. This is roughly a "sudo" mode, like GitHub has for accessing SSH keys, or Facebook has for managing credit cards. GitHub actually calls theirs "sudo" mode, but I think that's too technical for big parts of our audience. I've gone with "high security mode".

This doesn't actually get exposed in the UI yet (and we don't have any meaningful auth factors to prompt the user for) but the workflow works overall. I'll go through it in a comment, since I need to arrange some screenshots.

Test Plan

See guided walkthrough.

Diff Detail

rP Phabricator
Lint Skipped
Unit Tests Skipped

Event Timeline

epriestley retitled this revision from to Add "High Security" mode to support multi-factor auth.Apr 24 2014, 1:55 AM
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added reviewers: btrahan, chad.
epriestley updated this revision to Diff 21002.

When you try to take a "high security" action (like adding a new public key to your account)... get prompted to enter "high security" mode. In the future, this will request an SMS code, TOTP token, or password:

If you get past the prompt, you enter high security and can perform the action. High security is bound to your session and lasts for 15 minutes. While in high security, a persistent notification reminds you to leave it when you're done.

The session panel has been updated to show which sessions are in high security. You can downgrade your session to normal security from this UI, too.

If you downgrade or click the notification, you leave high security:

Choosing to leave restores your session to normal:

btrahan edited edge metadata.
btrahan accepted this revision.
This revision is now accepted and ready to land.Apr 25 2014, 1:03 AM
epriestley closed this revision.Apr 28 2014, 12:31 AM
epriestley updated this revision to Diff 21062.

Closed by commit rPf42ec84d0c6b (authored by @epriestley).