Diffusion Phabricator ada8a56bb7db

Implement SMS MFA
ada8a56bb7db
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

Implement SMS MFA

Summary:
Depends on D20021. Ref T13222. This has a few rough edges, including:

The challenges theselves are CSRF-able.
You can go disable/edit your contact number after setting up SMS MFA and lock yourself out of your account.
SMS doesn't require MFA so an attacker can just swap your number to their number.

...but mostly works.

Test Plan:

Added SMS MFA to my account.
Typed in the number I was texted.
Typed in some other different numbers (didn't work).
Cancelled/resumed the workflow, used SMS in conjunction with other factors, tried old codes, etc.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20022

Details

Provenance

epriestley	Authored on Jan 16 2019, 4:38 PM
epriestley	Pushed on Jan 23 2019, 10:17 PM

Reviewer

Differential Revision

D20022: Implement SMS MFA

Parents

rP6c11f373965c: Add a pre-enroll step for MFA, primarily as a CSRF gate

Branches

Unknown

Tags

Unknown

Tasks

T13222: 2018 Week 48-51 Bonus Content

Build Status

Buildable 21672
Build 29554: Run Core Tests

Event Timeline

epriestley committed rPada8a56bb7db: Implement SMS MFA (authored by epriestley).Jan 23 2019, 10:17 PM

epriestley added a task: T13222: 2018 Week 48-51 Bonus Content.

Harbormaster completed building B21672: rPada8a56bb7db: Implement SMS MFA.Jan 23 2019, 10:20 PM

Changes (4)

Path

Size

src/

__phutil_library_map__.php

applications/

auth/

factor/

PhabricatorAuthFactor.php

PhabricatorSMSAuthFactor.php

phid/

PhabricatorAuthMessagePHIDType.php

rPada8a56bb7db

src/__phutil_library_map__.php

Loading...

src/applications/auth/factor/PhabricatorAuthFactor.php

Loading...

src/applications/auth/factor/PhabricatorSMSAuthFactor.php

Loading...

src/applications/auth/phid/PhabricatorAuthMessagePHIDType.php

Loading...