Skip to content

Resolve "Email the user when their two-factor OTP attempt is wrong"

What does this MR do and why?

Related to #374740 (closed), the need for this change is described well in a blog post: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db

With the changes in this MR, going forward, if an attacker has obtained the username and password of a user, and is then trying to bruteforce their way through 2FA codes for a successful login, an email will be triggered to the user at each attempt of entering a wrong 2FA OTP.

This way, we can alert the user that: hey, someone has your username and password, and is now trying to login to your account by trying out multiple 2FA codes. This helps prevent cases where users only come to know of the account takeover after receiving the Sign-in from an unknown location email.

Screenshots or screen recordings

HTML version

Screenshot_2022-09-23_at_12.38.09_PM

Text version

Screenshot_2022-09-23_at_12.38.15_PM

How to set up and validate locally

In your GDK,

  • enable the feature flag email_for_two_factor_otp_failure via Rails console: Feature.enable(:email_for_two_factor_otp_failure)
  • setup 2FA for your user on GDK.
  • Sign out after setting up 2FA
  • Try to sign in.
  • On the 2FA OTP page, enter a wrong 2FA OTP.
  • You should have received an email on http://localhost:3000/rails/letter_opener/, informing you about the attempted login using a wrong 2FA code.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Manoj M J

Merge request reports

Loading