'Remember this device' feature

[brynwhyman]

Overview

There are a significant amount of site owners that will only access their site admin over an already mostly-secure network, i.e within the workplace office; over the workplace network/VPN; through an IP whitelist, etc.

The friction of MFA could be reduced for these users by introducing a 'remember this device for x days' feature, storing a cookie in the device browser and not require the user to authenticate with MFA until it expires.

This work is currently not planned but feedback on the implementation (or contributions) are of course welcome.

ACs (draft)

• Users can record their personal devices as 'trusted'. Subsequent login attempts from the trusted device will not challenge the user for MFA credentials.
• The user has the ability to manage their trusted devices, including revoking a trusted device
• This feature would override the existing 'Keep me logged in' feature present in core
• The life-time of a trusted device is configurable with a suitable default set
• The site admin has the ability to enable/disable this feature across the site CMS
• A user can have multiple trusted devices
• There's guidance, or some indication what this will result in (skip future MFA challenges) outlined to the user
• The existing docs on 'trusted devices' is updated to reflect new functionality

TBC:

• With this option enabled for a user, they should still be prompted for their Email and Password on subsequent log ins

[ScopeyNZ]

So this is different from the existing "remember me" feature as they still want a single factor of authentication?

[brynwhyman]

Yes, but to be honest I had forgot to consider the existing 'Keep me signed in' feature! I'm going to close this issue in light of that.

[brynwhyman]

Perhaps this would help? #385

[brynwhyman]

Reopening this. We're stating to see a real demand for this, as it's perceived that the the 'Keep me signed in' feature is not always secure enough as it also removes the need to enter the email and password.

I feel like #385 is still relevant to add given it outlines the security considerations that need to be made when using the feature.

I've added draft ACs to the description.

[brynwhyman]

There's of course more potential enhancements down this path like 'managing' trusted devices (as Google offers) via the user's Profile page.

[brynwhyman]

Another AC to consider here:

• There is a CMS toggle globally allow/disallow trusted devices
• The allow/disallow admin toggle is restricted to the MFA role permission

[chillu]

There's significant overlap with the ability to manage and invalidate sessions across devices (through a login session database record): silverstripe/silverstripe-framework#8694.

As a recap, currently the CMS allows "remember me" as a user opt-in on login. If selected, it generates a Remember Login Hash, associates it to the user, and writes it into the user cookie. If the session expires, but the value exists in the cookie, it automatically starts a new session without asking for authentication or MFA codes. This works from multiple devices already. When any of the devices logs out, the default behaviour is to invalidate all Remember Login Hash records for the user (since there's no centralised management UI).

Might be useful to put down some definitions so we're all talking about the same things:

• Device: Either considered a client with the ability to perform logins and store cookies (Browser), or a separate piece of hardware. Currently identified via Remember Login Hash, but could be identified through user agent and the last IP address used to connect. The same hardware device (e.g. a laptop) could contain multiple logical devices (Browsers). The Remember Login Hash record already tracks a (randomised) DeviceID
• Browser: Separate from a Device, but a web application likely can't distinguish between them (not enough metadata in the request), unless you're using browser Javascript APIs to get e.g. device make and model (unclear).
• PHP Session: Short-lived session managed by PHP, with a session identifier stored in a cookie. Stores the actual data associated to the session. Typical expiry: hours.
• Remember Login Hash: Long-lived database value stored against a user record. When held by a device, it can be used to restore a PHP Session without the need to enter credentials. Typical expiry: weeks.
• Login Session: Reference to a PHP Session in the database, enabling user/admin management of session state. Does not store session data directly. Typical expiry: hours (same as PHP Session)
• Remember MFA Hash: Hypothetical long-lived database value stored against a user record. When held by a device, it can be used to replace the MFA authentication step, but relies on Remember Login Hash to replace login credentials. Typical expiry: weeks.

I think it's going to introduce a lot of unnecessary complexity if we decide to treat Device as a different concept from Login Session. /cc @silverstripe/ux-contributors @silverstripeux

[clarkepaul]

Awesome thanks @chillu

[NightJar]

This feature might already exist in a better way than being part of this 'core' module.

Have not used, have not tested. Just saw it in the dependency graph.