most/all of the extensions
Notes for myself:
do other MFA implementations handle this differently?
Does the human-visible Google Authenticator countdown correspond to multiple "timesteps" in TOTP RFC-ese?
Your device is showing T+3 if the clock is right, so if you type in what's shown on your device it won't be accepted.
If this doesn't get refined, I'll change the UI to say...
After the stack of changes under D19897 land:
This appears to be stable and working properly. D19897 removes a straggling guardrail.
- Better ordering for capability checks?
- Actually, just provide the clearer text ("recently issued a challenge which has expired") for now. We can refine this later if it makes sense, but this doesn't leave us with a rough edge hanging around.
- Requested a challenge, waited 60-120 seconds, answered it, was told to wait because it had expired, waited, answered the next challenge.
Sun, Dec 16
Sat, Dec 15
Fri, Dec 14
I feel like there's a word for being kicked out of Hogwarts and having your wizarding powers revoked, but it is not leaping to mind.
Yeah -- I initially kept it for a week, but then I was like "it would be better to make that week configurable since it's kind of weird to hard-code it and there's support to make it configurable...", but that was kind of a bit more code and we'd end up with a mild mess removing it later since the configurable part gets stored in Config. I'd also guess there's a real possibility that we never actually look at this table to debug anything.
I don't want to go down a bike shedding path here, but I feel like keeping challenges for a ~week would put us in a better position the first time someone wants to debug this stuff.
Some of the TTL/window stuff is a little funky here, my expectation is that this change more of a "shaped roughly correctly/moving us in the right direction" kind of change than a polished product. D19890 improves things a bit. Changes in this sequence all make life harder for attackers, but until everything is in the actual security model the changes implement may have some weird holes in it.
- Move a related logic change to the next diff.
D19886 ended up renaming "Hint" to "Error Message" and pushing the instanceof X logic into the abstract base AuthFactor class, using this sorta thing: