Resolve "Email the user when their two-factor OTP attempt is wrong"
What does this MR do and why?
Related to #374740 (closed), the need for this change is described well in a blog post: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db
With the changes in this MR, going forward, if an attacker has obtained the username and password of a user, and is then trying to bruteforce their way through 2FA codes for a successful login, an email will be triggered to the user at each attempt of entering a wrong 2FA OTP.
This way, we can alert the user that: hey, someone has your username and password, and is now trying to login to your account by trying out multiple 2FA codes
. This helps prevent cases where users only come to know of the account takeover after receiving the Sign-in from an unknown location email.
Screenshots or screen recordings
HTML version
Text version
How to set up and validate locally
In your GDK,
- enable the feature flag
email_for_two_factor_otp_failure
via Rails console:Feature.enable(:email_for_two_factor_otp_failure)
- setup 2FA for your user on GDK.
- Sign out after setting up 2FA
- Try to sign in.
- On the 2FA OTP page, enter a wrong 2FA OTP.
- You should have received an email on
http://localhost:3000/rails/letter_opener/
, informing you about the attempted login using a wrong 2FA code.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.