Open Closed

Implement member 2FA for mobile app #6921

User avatar
0
aldhamdy created
  • ABP Framework version: v8.0.4
  • UI Type: Angular / Flutter
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace: n/a
  • Steps to reproduce the issue: n/a

We need to implement 2FA for our mobile app, we use the password flow, we we enabled the 2FA the system requires/send OTP every time customer login to his account from mobile app. we want to implement the remember device 2FA which will let's sending/requiring 2FA for new device only per user.

this feature is available for web application users, but we have another use-case which mobile app users.

So, please we need your support for achieving this case.

thanks

Go to accepted answer
3 Answer(s)
  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    This may be a security risk.

    You can change the TokenController.Password behavior to achieve it.

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L372-L377

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L149

  • User Avatar
    0
    aldhamdy created

    hi

    This may be a security risk.

    You can change the TokenController.Password behavior to achieve it.

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L372-L377

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L149

    Thanks @mailming, Could you please give us more clarification about the security risk you mentioned above.

    Also, Is it better to implement required use-case (above) in the new module (session management) that you are working on it (I'm following your branch) ?

    thanks

  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    You should make the remember feature invalidate when the user's 2fa changes. This can be complicated.

    We will introduce the session management feature in 8.2.

    • [x] Automatically terminate a user session if the same user is logging in with another "same type of device"
    • [x] Make it optional with a setting that can be dynamically changed on the settings page (per tenant), with the following options: Disabled, Logout from same type devices, Logout from all devices.
    • [x] "same type of device" means we can restrict single login with browser, but we may still can login with a mobile application without affecting the browser session. So, for each device type, we may allow a single login. It would be better to enable or disable that restriction per device type.
    • [x] Add a new row action in the user management page, like "Sessions". Open a new modal when we click it.
    • [x] In the "Sessions" modal, show user's currently active sessions (with login time, last activity time, device type). Here, we may "force logout" any session.

Assignee
User avatar maliming
Labels
None yet
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11