FusionAuth
Two Factor (2FA) challenge is required on next login despite of the device trust option being selected
Two Factor (2FA) challenge is required on next login despite of the device trust option being selected
Description
Login again on an application re-trigger the two factor verification challenge process despite having the device trust option being selected at the first login.
Affects versions
v1.38.1
Steps to reproduce
- With an account having multi-factor enabled, login to an application requiring multi-factor.
- On the multi-factor verification challenge, fill the verification code
- Check the "Trust my computer" option.
- Once logged-in to your app, remove it session cookie (of the developed app, not FusionAuth) to trigger a re-authentication
Current behavior
The Oauth re-authenticate immediately the user to the application but ask for a two-factor code.
Expected behavior
The Oauth authentication process should just re-authenticate the user to the application.
Screenshots
N/A
Platform
(Please complete the following information)
- Device: Desktop
- OS: Multiple
- Browser + version: Multiple
- Database: PostgresSQL
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
Please note that it does not happen all the time. However, when it happens, it looks like to be applied to all the users at the same time (tested with my office co-workers).
I unfortunately can not add more context to this bug, I would like some indication to help me determinate the root cause.
The only clue I have is we did only one change: An upgrade from v1.36.8 to v1.38.1.
Hi @soullivaneuh,
I'm sorry to hear you are having this issue.
Please provide some additional context, when you get a chance:
Which edition of FusionAuth are you using? Forms of MFA such as Authenticator/ TOTP, e.g. Google Authenticator, is included in the Community Edition. However, email and SMS, including Twilio, MFA is a paid feature. Please see our pricing page for more information on the features included in each edition.
https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#tenant-set-up
If you are using a paid version, what options do you have enabled under Tenant > Edit Tenant > Multi-Factor? Please upload a screenshot here.
For the users that you’ve enabled MFA on, which form of MFA is enabled? The options are authenticator, email, and sms.
https://fusionauth.io/docs/v1/tech/apis/users#update-a-user
Did you enable MFA through the self service account, User API, or build your own MFA interface?
https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#tenant-set-up
Can you confirm which cookies you are deleting? I can confirm that when I clear cookies on Chrome and try to log back into an application that has MFA enabled, I am prompted for an MFA challenge again. This has to do with cookies FusionAuth is storing in the browser to trust the device.
Do you have application level MFA enabled and if so, how are you enforcing it? Please check by navigating to your admin dashboard and navigating to Applications > the application mentioned above > Edit this Application > Multi-Factor Authentication and upload a screenshot of all the settings, when you get a chance.
Thank you,
Johnathon
FusionAuth
Hi,
Thanks for the help, here is the answers:
Which edition of FusionAuth are you using?
Starter plan.
If you are using a paid version, what options do you have enabled under Tenant > Edit Tenant > Multi-Factor? Please upload a screenshot here.
Here is the extract:
For the users that you’ve enabled MFA on, which form of MFA is enabled?
Currently, authenticator and email provider are enabled but both produce the reported issue.
Did you enable MFA through the self service account, User API, or build your own MFA interface?
Both of:
- Built our own MFA interface (legacy) using the FusionAuth API in background..
- Use the self service account
Currently both are available, we are during a migration process.
Can you confirm which cookies you are deleting? I can confirm that when I clear cookies on Chrome and try to log back into an application that has MFA enabled, I am prompted for an MFA challenge again.
We do not remove FusonAuth related cookies, only the PHPSESSID cookie generated by our PHP application.
When we does and refresh the page, our app security firewall will redirect to the FusionAuth Oauth process redirect.
This is at this point the code is asked again.
Do you have application level MFA enabled and if so, how are you enforcing it?
The tenant level is used:
For the tenant settings, please see the previous details block.
Regards
We have an interrogation about that subject: Can the 2FA computer trust option being reset in case of the external ip of the user is changed?
I just saw https://github.com/FusionAuth/fusionauth-issues/issues/1905 being resolved. Is it related to my issue?
Hi @ soullivaneuh,
Are you still on v1.38.1 of FusionAuth? I can't say for certain, but we did update how we are determining if a TTL two-factor trust is being calculated. Would it be possible for you to update your version of FusionAuth to the latest and re-test this issue 1847?
We are constantly updated your application to latest and we are currently on v1.40.2
As said on the original issue body, it is hard to "re-test" as it does not happen for every one with any environment. However, some colleagues looks to still have the issue after the upgrade, even if it looks like we have less than before (to be monitored).
If its related to your fix, is it possible to have a lag between the fix deployment and its positive impact?
This is unfortunately still broken, even in the latest version. It also appears to be similar to this issue:
https://github.com/FusionAuth/fusionauth-issues/issues/1917
For us it happens both when attempting to login to auth administration, as well as when attempting to login to one of our applications. But primarily and most often on auth administration. The only thing configured for the auth administration application is a JWT Populate lamba to set the correct audience.
