Page MenuHomePhabricator

Add a pre-enroll step for MFA, primarily as a CSRF gate
ClosedPublic

Authored by epriestley on Jan 23 2019, 5:50 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 12, 10:25 PM
Unknown Object (File)
Mon, Dec 9, 12:07 AM
Unknown Object (File)
Sat, Dec 7, 11:00 AM
Unknown Object (File)
Sat, Dec 7, 9:01 AM
Unknown Object (File)
Thu, Dec 5, 10:29 PM
Unknown Object (File)
Sat, Nov 30, 11:37 PM
Unknown Object (File)
Nov 12 2024, 1:48 AM
Unknown Object (File)
Nov 4 2024, 12:57 AM
Subscribers
None

Details

Summary

Depends on D20020. Ref T13222. This puts another step in the MFA enrollment flow: pick a provider; read text and click "Continue"; actually enroll.

This is primarily to stop CSRF attacks, since otherwise an attacker can put <img src="phabricator.com/auth/settings/enroll/?providerPHID=xyz" /> on cute-cat-pix.com and get you to send yourself some SMS enrollment text messages, which would be mildly annoying.

We could skip this step if we already have a valid CSRF token (and we often will), but I think there's some value in doing it anyway. In particular:

  • For SMS/Duo, it seems nice to have an explicit "we're about to hit your phone" button.
  • We could let installs customize this text and give users a smoother onboard.
  • It allows the relatively wordy enroll form to be a little less wordy.
  • For tokens which can expire (SMS, Duo) it might save you from answering too slowly if you have to go dig your phone out of your bag downstairs or something.
Test Plan

Added factors, read text. Tried to CSRF the endpoint, got a dialog instead of a live challenge generation.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable