Skip to content

Show arkose challenge after two incorrect phone verification attempts

Hinam Mehra requested to merge anti-abuse/528-add-arkose-to-phone-verification into master

What does this MR do and why?

  • Partially resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/528+s
  • Shows arkose challenge to user after 2 incorrect phone verification attempts.
  • Adds a new feature-flag, arkose_labs_phone_verification_challenge.
  • Adds a new rate-limit, phone_verification_arkose_trigger.
  • If the feature-flag is enabled, and the user has made more than 2 phone-verification attempts, then arkose challenge would get triggered during the phone verification process.
  • If the arkose challenge is shown, then all buttons are disabled/hidden until the challenge is solved.
  • Even if the user refreshes the page, if they have made more than 2 phone-verification attempts, then the arkose challenge will be triggered.

Screenshots or screen recordings

arkose-challenge

How to set up and validate locally

  1. Turn on feature flag 
Feature.enable(:arkose_labs_phone_verification_challenge)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification)
  1. Update application setting to turn on verification
ApplicationSetting.first.update(require_admin_approval_after_user_signup: false, email_confirmation_setting: "hard")
  1. Get credentials from 1Password to connect to our external services - Arkose (responsible for showing the captcha) & TeleSign (responsible for sending phone verification code).
ApplicationSetting.first.update(arkose_labs_public_api_key: XX, arkose_labs_private_api_key: XX, telesign_customer_xid: XX, telesign_api_key: XX)
  1. Sign-up as a new user /users/sign_up. You should see a page with content Help us keep GitLab secure.
  2. Turn on phone-verification for that user:
UserCustomAttribute.where(user: User.last, key: 'arkose_risk_band').update(value: 'MEDIUM')
  1. Refresh the page. You should see 2 steps - Step 1 for email verification and Step 2 for phone verification.
  2. Find your email verification code on http://127.0.0.1:3000/rails/letter_opener. Try entering that and then you should see phone verification.
  3. Then, try entering in your phone number to receive a verification code.
  4. Force arkose to show a captcha. You might have to keep the browser console open to keep seeing the captcha.
  5. Make incorrect attempts to verify your phone number, after 2 attempts you should see the arkose captcha.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/528 https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17141

Edited by Wayne Haber

Merge request reports