Resolve "Email the user when their two-factor OTP attempt is wrong"
What does this MR do and why?
Related to #374740 (closed), the need for this change is described well in a blog post: https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db
With the changes in this MR, going forward, if an attacker has obtained the username and password of a user, and is then trying to bruteforce their way through 2FA codes for a successful login, an email will be triggered to the user at each attempt of entering a wrong 2FA OTP.
This way, we can alert the user that: hey, someone has your username and password, and is now trying to login to your account by trying out multiple 2FA codes. This helps prevent cases where users only come to know of the account takeover after receiving the Sign-in from an unknown location email.
Screenshots or screen recordings
HTML version
Text version
How to set up and validate locally
In your GDK,
- enable the feature flag
email_for_two_factor_otp_failurevia Rails console:Feature.enable(:email_for_two_factor_otp_failure) - setup 2FA for your user on GDK.
- Sign out after setting up 2FA
- Try to sign in.
- On the 2FA OTP page, enter a wrong 2FA OTP.
- You should have received an email on
http://localhost:3000/rails/letter_opener/, informing you about the attempted login using a wrong 2FA code.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.