Page MenuHomePhabricator
Feed All Stories

Today

epriestley added a comment to D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.

most/all of the extensions

Tue, Dec 18, 3:34 PM
epriestley requested review of D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.
Tue, Dec 18, 3:21 PM
epriestley added a child revision for D19898: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks: D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.
Tue, Dec 18, 3:19 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19899: Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest.
Tue, Dec 18, 3:19 PM · Plans
epriestley awarded T13222: 2018 Week 48-51 Bonus Content a The World Burns token.
Tue, Dec 18, 3:17 PM · Plans
epriestley added a comment to T13222: 2018 Week 48-51 Bonus Content.

Notes for myself:

Tue, Dec 18, 3:06 PM · Plans
epriestley triaged T13226: Consider login/session alerts, and other security alerts (for example, around MFA) as Low priority.
Tue, Dec 18, 2:20 PM · Auth, Security
epriestley requested review of D19898: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks.
Tue, Dec 18, 2:03 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19898: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks.
Tue, Dec 18, 2:01 PM · Plans
epriestley added a child revision for D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action: D19898: Tighten some MFA/TOTP parameters to improve resistance to brute force attacks.
Tue, Dec 18, 2:01 PM
epriestley added a comment to D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.

do other MFA implementations handle this differently?

Tue, Dec 18, 1:16 AM
epriestley added inline comments to D19894: Explicitly mark MFA challenges as "answered" and "completed".
Tue, Dec 18, 1:16 AM
epriestley added a comment to D19890: Simplify and correct some challenge TTL lockout code.

Does the human-visible Google Authenticator countdown correspond to multiple "timesteps" in TOTP RFC-ese?

Tue, Dec 18, 12:27 AM
amckinley accepted D19894: Explicitly mark MFA challenges as "answered" and "completed".
Tue, Dec 18, 12:19 AM
amckinley accepted D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.

Your device is showing T+3 if the clock is right, so if you type in what's shown on your device it won't be accepted.
...
If this doesn't get refined, I'll change the UI to say...

Tue, Dec 18, 12:11 AM

Yesterday

amckinley accepted D19890: Simplify and correct some challenge TTL lockout code.
Mon, Dec 17, 11:47 PM
amckinley accepted D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document.
Mon, Dec 17, 11:38 PM
epriestley closed T9770: It is possible to use the same 2FA token more than once as Wontfix.

After the stack of changes under D19897 land:

Mon, Dec 17, 10:22 PM · Security, Auth
epriestley closed T13186: Upgrading: Legacy "Can Edit <Field>" policies in Maniphest; requireCapabilities() in TransactionEditor as Resolved.

This appears to be stable and working properly. D19897 removes a straggling guardrail.

Mon, Dec 17, 8:46 PM · Security, Policy, ApplicationEditor, Guides, Installing & Upgrading
epriestley added inline comments to D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action.
Mon, Dec 17, 8:45 PM
epriestley updated the diff for D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action.
  • Better ordering for capability checks?
Mon, Dec 17, 8:40 PM
epriestley requested review of D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action.
Mon, Dec 17, 8:38 PM
epriestley added a child revision for D19896: In Legalpad, prompt for MFA at the end of the workflow instead of the beginning: D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action.
Mon, Dec 17, 8:37 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19897: Allow any transaction group to be signed with a one-shot "Sign With MFA" action.
Mon, Dec 17, 8:37 PM · Plans
epriestley requested review of D19896: In Legalpad, prompt for MFA at the end of the workflow instead of the beginning.
Mon, Dec 17, 7:26 PM
epriestley added a child revision for D19895: Carry MFA responses which have been "answered" but not "completed" through the MFA workflow: D19896: In Legalpad, prompt for MFA at the end of the workflow instead of the beginning.
Mon, Dec 17, 7:24 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19896: In Legalpad, prompt for MFA at the end of the workflow instead of the beginning.
Mon, Dec 17, 7:24 PM · Plans
epriestley requested review of D19895: Carry MFA responses which have been "answered" but not "completed" through the MFA workflow.
Mon, Dec 17, 7:14 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19895: Carry MFA responses which have been "answered" but not "completed" through the MFA workflow.
Mon, Dec 17, 7:12 PM · Plans
epriestley added a child revision for D19894: Explicitly mark MFA challenges as "answered" and "completed": D19895: Carry MFA responses which have been "answered" but not "completed" through the MFA workflow.
Mon, Dec 17, 7:12 PM
epriestley requested review of D19894: Explicitly mark MFA challenges as "answered" and "completed".
Mon, Dec 17, 6:11 PM
epriestley added a child revision for D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge: D19894: Explicitly mark MFA challenges as "answered" and "completed".
Mon, Dec 17, 6:10 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19894: Explicitly mark MFA challenges as "answered" and "completed".
Mon, Dec 17, 6:10 PM · Plans
epriestley updated the diff for D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.
  • Actually, just provide the clearer text ("recently issued a challenge which has expired") for now. We can refine this later if it makes sense, but this doesn't leave us with a rough edge hanging around.
  • Requested a challenge, waited 60-120 seconds, answered it, was told to wait because it had expired, waited, answered the next challenge.
Mon, Dec 17, 5:26 PM
epriestley requested review of D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.
Mon, Dec 17, 5:21 PM
epriestley added a child revision for D19890: Simplify and correct some challenge TTL lockout code: D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.
Mon, Dec 17, 5:19 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19893: When accepting a TOTP response, require it respond explicitly to a specific challenge.
Mon, Dec 17, 5:19 PM · Plans
epriestley renamed T13206: Diviner publishing can fail resoundingly with unusual file permissions [was: User documentation on "secure" is occasionally unpublishing] from User documentation on "secure" is occasionally unpublishing to Diviner publishing can fail resoundingly with unusual file permissions [was: User documentation on "secure" is occasionally unpublishing].
Mon, Dec 17, 3:45 PM · Diviner
epriestley committed rP5e94343c7d1a: Add a garbage collector for MFA challenges (authored by epriestley).
Add a garbage collector for MFA challenges
Mon, Dec 17, 3:01 PM
epriestley added a commit to T13222: 2018 Week 48-51 Bonus Content: rP5e94343c7d1a: Add a garbage collector for MFA challenges.
Mon, Dec 17, 3:01 PM · Plans
epriestley closed D19888: Add a garbage collector for MFA challenges.
Mon, Dec 17, 3:01 PM
epriestley committed rPb8cbfda07ce6: Track MFA "challenges" so we can bind challenges to sessions and support SMS… (authored by epriestley).
Track MFA "challenges" so we can bind challenges to sessions and support SMS…
Mon, Dec 17, 3:00 PM
epriestley added a commit to T9770: It is possible to use the same 2FA token more than once: rPb8cbfda07ce6: Track MFA "challenges" so we can bind challenges to sessions and support SMS….
Mon, Dec 17, 3:00 PM · Security, Auth
epriestley added a commit to T13222: 2018 Week 48-51 Bonus Content: rPb8cbfda07ce6: Track MFA "challenges" so we can bind challenges to sessions and support SMS….
Mon, Dec 17, 3:00 PM · Plans
epriestley closed D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Mon, Dec 17, 3:00 PM
epriestley committed rPc731508d748a: Require MFA implementations to return a formal result object when validating… (authored by epriestley).
Require MFA implementations to return a formal result object when validating…
Mon, Dec 17, 3:00 PM
epriestley added a commit to T13222: 2018 Week 48-51 Bonus Content: rPc731508d748a: Require MFA implementations to return a formal result object when validating….
Mon, Dec 17, 2:59 PM · Plans
epriestley closed D19885: Require MFA implementations to return a formal result object when validating factors.
Mon, Dec 17, 2:59 PM
epriestley renamed T13222: 2018 Week 48-51 Bonus Content from 2018 Week 48-50 Bonus Content to 2018 Week 48-51 Bonus Content.
Mon, Dec 17, 2:51 PM · Plans
epriestley added a member for Community: cfloyd.
Mon, Dec 17, 2:08 PM

Sun, Dec 16

20after4 added a watcher for Plans: 20after4.
Sun, Dec 16, 6:03 PM

Sat, Dec 15

epriestley edited the content of Changelog.
Sat, Dec 15, 7:20 AM
epriestley committed rPHUa537ba03c994: (stable) Promote 2018 Week 50 (authored by epriestley).
(stable) Promote 2018 Week 50
Sat, Dec 15, 7:20 AM
epriestley committed rARCed5d02ab3ef9: (stable) Promote 2018 Week 50 (authored by epriestley).
(stable) Promote 2018 Week 50
Sat, Dec 15, 7:19 AM
epriestley committed rP61a5a4811540: (stable) Promote 2018 Week 50 (authored by epriestley).
(stable) Promote 2018 Week 50
Sat, Dec 15, 7:19 AM
epriestley created 2018 Week 50 (Mid December).
Sat, Dec 15, 7:19 AM

Fri, Dec 14

epriestley committed rP54b952df5d14: Fix weird gap/spacing on user "Manage" page (authored by epriestley).
Fix weird gap/spacing on user "Manage" page
Fri, Dec 14, 11:40 PM
epriestley closed D19892: Fix weird gap/spacing on user "Manage" page.
Fri, Dec 14, 11:40 PM
epriestley accepted D19891: Move admin promotions to modular transactions.

I feel like there's a word for being kicked out of Hogwarts and having your wizarding powers revoked, but it is not leaping to mind.

Fri, Dec 14, 11:37 PM
amckinley added inline comments to D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Fri, Dec 14, 11:32 PM
amckinley accepted D19892: Fix weird gap/spacing on user "Manage" page.
Fri, Dec 14, 11:32 PM
epriestley requested review of D19892: Fix weird gap/spacing on user "Manage" page.
Fri, Dec 14, 11:30 PM
amckinley requested review of D19891: Move admin promotions to modular transactions.
Fri, Dec 14, 11:28 PM
epriestley added inline comments to D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Fri, Dec 14, 10:45 PM
epriestley added a comment to D19888: Add a garbage collector for MFA challenges.

Yeah -- I initially kept it for a week, but then I was like "it would be better to make that week configurable since it's kind of weird to hard-code it and there's support to make it configurable...", but that was kind of a bit more code and we'd end up with a mild mess removing it later since the configurable part gets stored in Config. I'd also guess there's a real possibility that we never actually look at this table to debug anything.

Fri, Dec 14, 10:06 PM
amckinley accepted D19888: Add a garbage collector for MFA challenges.

I don't want to go down a bike shedding path here, but I feel like keeping challenges for a ~week would put us in a better position the first time someone wants to debug this stuff.

Fri, Dec 14, 8:14 PM
amckinley accepted D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Fri, Dec 14, 7:52 PM
epriestley added inline comments to D19890: Simplify and correct some challenge TTL lockout code.
Fri, Dec 14, 4:07 PM
epriestley added inline comments to D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.
Fri, Dec 14, 4:02 PM
epriestley added a comment to D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA.

Some of the TTL/window stuff is a little funky here, my expectation is that this change more of a "shaped roughly correctly/moving us in the right direction" kind of change than a polished product. D19890 improves things a bit. Changes in this sequence all make life harder for attackers, but until everything is in the actual security model the changes implement may have some weird holes in it.

Fri, Dec 14, 4:00 PM
epriestley requested review of D19890: Simplify and correct some challenge TTL lockout code.
Fri, Dec 14, 3:59 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19890: Simplify and correct some challenge TTL lockout code.
Fri, Dec 14, 3:57 PM · Plans
epriestley added a child revision for D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document: D19890: Simplify and correct some challenge TTL lockout code.
Fri, Dec 14, 3:57 PM
epriestley updated the diff for D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document.
  • Move a related logic change to the next diff.
Fri, Dec 14, 2:26 PM
epriestley requested review of D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document.
Fri, Dec 14, 2:18 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document.
Fri, Dec 14, 2:16 PM · Plans
epriestley added a child revision for D19888: Add a garbage collector for MFA challenges: D19889: Bind MFA challenges to particular workflows, like signing a specific Legalpad document.
Fri, Dec 14, 2:16 PM
epriestley requested review of D19888: Add a garbage collector for MFA challenges.
Fri, Dec 14, 1:34 PM
epriestley added a child revision for D19886: Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA: D19888: Add a garbage collector for MFA challenges.
Fri, Dec 14, 1:32 PM
epriestley added a revision to T13222: 2018 Week 48-51 Bonus Content: D19888: Add a garbage collector for MFA challenges.
Fri, Dec 14, 1:32 PM · Plans
amckinley committed rPd23cc4b862aa: Move user renames to modular transactions (authored by amckinley).
Move user renames to modular transactions
Fri, Dec 14, 12:48 AM
amckinley closed D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:48 AM
amckinley added inline comments to D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:47 AM
epriestley added a comment to D19887: Move user renames to modular transactions.

🍰

Fri, Dec 14, 12:47 AM
amckinley updated the diff for D19887: Move user renames to modular transactions.

Requested changes.

Fri, Dec 14, 12:46 AM
epriestley added inline comments to D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:32 AM
epriestley added inline comments to D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:30 AM
epriestley accepted D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:27 AM
amckinley added inline comments to D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:23 AM
amckinley requested review of D19887: Move user renames to modular transactions.
Fri, Dec 14, 12:22 AM
epriestley added a comment to D19885: Require MFA implementations to return a formal result object when validating factors.

D19886 ended up renaming "Hint" to "Error Message" and pushing the instanceof X logic into the abstract base AuthFactor class, using this sorta thing:

Fri, Dec 14, 12:17 AM
epriestley committed rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code (authored by epriestley).
Upgrade an old "weakDigest()" inside TOTP synchronization code
Fri, Dec 14, 12:16 AM
epriestley added a commit to T12509: Plan the path forward from HMAC-SHA1: rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Fri, Dec 14, 12:16 AM · Infrastructure, Security
epriestley added a commit to T13222: 2018 Week 48-51 Bonus Content: rP080fb1985f29: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Fri, Dec 14, 12:16 AM · Plans
epriestley closed D19884: Upgrade an old "weakDigest()" inside TOTP synchronization code.
Fri, Dec 14, 12:16 AM
epriestley committed rP1d34238dc945: Upgrade sessions digests to HMAC256, retaining compatibility with old digests (authored by epriestley).
Upgrade sessions digests to HMAC256, retaining compatibility with old digests
Fri, Dec 14, 12:16 AM
epriestley added a commit to T13225: Complete session digest migration from SHA1 to SHA256: rP1d34238dc945: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Fri, Dec 14, 12:15 AM · Installing & Upgrading, Infrastructure, Security
epriestley closed D19883: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Fri, Dec 14, 12:15 AM
epriestley added a commit to T13222: 2018 Week 48-51 Bonus Content: rP1d34238dc945: Upgrade sessions digests to HMAC256, retaining compatibility with old digests.
Fri, Dec 14, 12:15 AM · Plans
epriestley committed rPc58506aeaace: Give sessions real PHIDs and slightly modernize session queries (authored by epriestley).
Give sessions real PHIDs and slightly modernize session queries
Fri, Dec 14, 12:15 AM