- ABP Framework version: v8.0.4
- UI Type: Angular / Flutter
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace: n/a
- Steps to reproduce the issue: n/a
We need to implement 2FA for our mobile app, we use the password flow, we we enabled the 2FA the system requires/send OTP every time customer login to his account from mobile app. we want to implement the remember device 2FA which will let's sending/requiring 2FA for new device only per user.
this feature is available for web application users, but we have another use-case which mobile app users.
So, please we need your support for achieving this case.
thanks
3 Answer(s)
-
1
hi
This may be a security risk.
You can change the
TokenController.Password
behavior to achieve it.https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L372-L377
https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L149
-
0
hi
This may be a security risk.
You can change the
TokenController.Password
behavior to achieve it.https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L372-L377
https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L149
Thanks @mailming, Could you please give us more clarification about the security risk you mentioned above.
Also, Is it better to implement required use-case (above) in the new module (session management) that you are working on it (I'm following your branch) ?
thanks
-
1
hi
You should make the remember feature invalidate when the user's 2fa changes. This can be complicated.
We will introduce the
session management
feature in 8.2.- [x] Automatically terminate a user session if the same user is logging in with another "same type of device"
- [x] Make it optional with a setting that can be dynamically changed on the settings page (per tenant), with the following options: Disabled, Logout from same type devices, Logout from all devices.
- [x] "same type of device" means we can restrict single login with browser, but we may still can login with a mobile application without affecting the browser session. So, for each device type, we may allow a single login. It would be better to enable or disable that restriction per device type.
- [x] Add a new row action in the user management page, like "Sessions". Open a new modal when we click it.
- [x] In the "Sessions" modal, show user's currently active sessions (with login time, last activity time, device type). Here, we may "force logout" any session.