Maniphest T13138

Improve consistency of MFA requirements to invite/approve users
Open, WishlistPublic
Actions

Assigned To

None

Authored By

	epriestley
	May 14 2018, 2:14 PM

Tags

Referenced Files

None

Subscribers

Description

See D19448. See https://hackerone.com/reports/351361.

We're currently inconsistent about MFA requirements for creating user accounts. On the main flow, you must MFA to create users after D19448. But you can still create users indirectly (by inviting or approving them) without MFA.

You can also edit Auth providers and enable registration without MFA.

Creating users isn't particularly dangerous, but could possibly be a tool that is used as part of a larger attack (for example, to extend illicit access). The current check is also effective at preventing the creation of special accounts (bots and mailing lists) without MFA, so it isn't entirely silly.

Probably, all of this should require MFA:

inviting users;
approving users;
managing Auth providers.

See also T7667 for additional controls around Auth provider management.

Related Objects

Mentioned In: T13222: 2018 Week 48-51 Bonus Content
2018 Week 20 (Late May)
Mentioned Here: T13222: 2018 Week 48-51 Bonus Content
D19448: Consistently require MFA on the actual user creation flow
T7667: Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI

Event Timeline

epriestley triaged this task as Wishlist priority.May 14 2018, 2:14 PM

epriestley created this task.

Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptMay 14 2018, 2:14 PM

hskiba added a subscriber: hskiba.May 15 2018, 2:33 PM

epriestley mentioned this in 2018 Week 20 (Late May).May 19 2018, 12:23 AM

epriestley mentioned this in T13222: 2018 Week 48-51 Bonus Content.Nov 26 2018, 5:07 PM

From T13222, MFA on related flows should generally be updated.

Session MFA should be replaced with one-shot MFA where possible.
Retained session MFA should get workflow keys.