fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

[Category] MFA

Open robotdan opened this issue 5 years ago • 3 comments

MultiFactor Authentication

Expand the scope and features around multi-factor authentication.

Project

Multi-Factor authentication is a broad topic and FusionAuth currently supports some basic options for multi-factor authentication. The current options include the application based TOTP (Google Authenticator, Authy, etc) and Twilio SMS push.

The options for MFA are expanding quickly and more of our clients require these solutions or are purchasing them from third parties to augment the FusionAuth feature set.

The goal of this project is to provide a comprehensive set of options, capabilities and policies around multi-factor authentication in FusionAuth.

Delivered in 1.26.0

Some of the features and use cases outlined here were delivered in 1.26.0.

  • Additional support for other SMS providers
  • One to many configurations of Twilio assigned per tenant
  • User self service for account profile and two-factor configuration
  • Support for one to many two-factor methods of type authenticator, sms or email
  • Localized sms templates
  • Change root landing page from a redirect to /admin to a themed page
  • Email or mobilePhone is not tied to the user account so you can add a spouse or partners email or phone for a two-factor method on your account.
  • Added recovery codes
  • Generic option for 3rd party SMS providers via a JSON rest API
  • Step up 2FA API

Issues delivered in 1.26.0

  • https://github.com/FusionAuth/fusionauth-issues/issues/378
  • https://github.com/FusionAuth/fusionauth-issues/issues/682
  • https://github.com/FusionAuth/fusionauth-issues/issues/796
  • https://github.com/FusionAuth/fusionauth-issues/issues/871
  • https://github.com/FusionAuth/fusionauth-issues/issues/1173
    • There is an API for this, so you can download them if you want. The codes are not downloadable via our UI, but shown once when enabling two-factor for the first time.

Partially available

  • https://github.com/FusionAuth/fusionauth-issues/issues/87
    • This is in the code, but not currently modifiable. Not sure if anyone even needs this configuration.

Use Cases

  1. User logs into FusionAuth admin console, requires 2FA because this application is considered more secure.
    • Other users in the same tenant that may be logging into other applications may not be required to 2FA.
    • This could also be solved as a policy for employees. Since they are logging in via SSO, and have access to the admin console, this user should always be required to complete a second factor authentication.

Components

MultiFactor options

FusionAuth currently supports "Google Authenticator" (application based TOTP), and Twilio based SMS push.

As part of this project we will be making the multi-factor options more comprehensive and flexible.A user can have one to many devices or configurations for MFA.

For example:

  • SMS push
  • Email push
  • TOTP application (such as Google Authenticator, Authy, etc)
  • Hardware based keys (FIDO2 keys)
  • Third party (phone calls, etc)
  • Implicit MFA, in this case a user may not have configured MFA yet, but a login attempt requires the password, and then a code that was pushed to your email or phone. This is a common use cases for banks. This may be done based upon configured criteria, such as new device, or other administrative controls or threat detection modeling. A lambda could be used to decide when this occurs.
  • WUPHF
  • Third party MFA such as HYPR
Messaging templates

SMS is one option for push capability as it relates to MFA. As a component of this feature we will likely need to build out localizable messaging templates that can optionally used with an SMS provider.

Extendable SMS

Currently Twilio is the only SMS provider available in FusionAuth. We will want to build a more generic interface to support all SMS providers, and similar messaging systems to push end users a message.

For example:

  • Twilio
  • AWS SNS
  • 100's of SaaS based SMS providers
  • Google Cloud Pub/Sub

This will likely be provided as a custom webhook of sorts that will require a small amount of glue code to accept a JSON message and then deliver it to the transport of your choosing.

Step Up Auth

APIs to allow step up authentication to be performed with password or multi factor options at arbitrary decisions points in your business logic or based upon configuration such as time since last login, IP address changes, or other threat detection models.

  • https://github.com/FusionAuth/fusionauth-issues/issues/449
Web Authentication (WebAuthN)

(DELIVERED) Support the WebAuthN standard natively in FusionAuth.

Federation
  • https://github.com/FusionAuth/fusionauth-issues/issues/2005
Self service

Once we enable all of these features, the end user needs to be able to manage these additional configurations and select their preferences.

Ideal use cases:

  • Themed landing page for a user
    • https://github.com/FusionAuth/fusionauth-issues/issues/378
    • https://github.com/FusionAuth/fusionauth-issues/issues/682
  • Self service user profile edit using custom forms
  • Enable / disable 2FA
  • Enable 2FA during login
    • https://github.com/FusionAuth/fusionauth-issues/issues/51
  • Delete your account and all data
    • https://github.com/FusionAuth/fusionauth-issues/issues/931

Licensing

This discussion is still happening, ideally we would leave all existing MFA options alone and require a paid edition of FusionAuth to enable to additional MFA configurations outlined here.

Related Issues

The following issues describe one or more components of this project and will be partially or fully addressees as part of this project.

  • https://github.com/FusionAuth/fusionauth-issues/issues/51
  • https://github.com/FusionAuth/fusionauth-issues/issues/87
  • https://github.com/FusionAuth/fusionauth-issues/issues/197
  • https://github.com/FusionAuth/fusionauth-issues/issues/208
  • https://github.com/FusionAuth/fusionauth-issues/issues/378
  • https://github.com/FusionAuth/fusionauth-issues/issues/449
  • https://github.com/FusionAuth/fusionauth-issues/issues/550
  • https://github.com/FusionAuth/fusionauth-issues/issues/615
  • https://github.com/FusionAuth/fusionauth-issues/issues/625
  • https://github.com/FusionAuth/fusionauth-issues/issues/682
  • https://github.com/FusionAuth/fusionauth-issues/issues/763
  • https://github.com/FusionAuth/fusionauth-issues/issues/796
  • https://github.com/FusionAuth/fusionauth-issues/issues/871
  • https://github.com/FusionAuth/fusionauth-issues/issues/931
  • https://github.com/FusionAuth/fusionauth-issues/issues/987
  • https://github.com/FusionAuth/fusionauth-issues/issues/1040
  • https://github.com/FusionAuth/fusionauth-issues/issues/1173
  • https://github.com/FusionAuth/fusionauth-issues/issues/1431
  • https://github.com/FusionAuth/fusionauth-issues/issues/1438
  • https://github.com/FusionAuth/fusionauth-issues/issues/1573
  • https://github.com/FusionAuth/fusionauth-issues/issues/1601
  • https://github.com/FusionAuth/fusionauth-issues/issues/1637
  • https://github.com/FusionAuth/fusionauth-issues/issues/2232
  • https://github.com/FusionAuth/fusionauth-issues/issues/2285
  • https://github.com/FusionAuth/fusionauth-issues/issues/2305
  • https://github.com/FusionAuth/fusionauth-issues/issues/2309
  • https://github.com/FusionAuth/fusionauth-issues/issues/2739
  • https://github.com/FusionAuth/fusionauth-issues/issues/3089

Related Specs

Proposed Step Up Spec

  • https://mailarchive.ietf.org/arch/msg/oauth/Pv3q2T-ao1eu_AAAcmt-DVDPrTo/
  • https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-08.html

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

robotdan avatar Oct 29 '20 22:10 robotdan

While I understand the need to create more paid features, the self service part of the current MFA options is really lacking and would be a shame to put behind a paid subscription. Seems really weird to me that MFA flow is included in the current login flow once setup, but that you need to create your own page to setup MFA.

DaviddH avatar Nov 03 '20 19:11 DaviddH

@DaviddH Thanks for your feedback!

We're aware that this feature would be useful to many people and are continually discussing what makes sense to be a premium feature and what makes sense to include in the community edition.

We love our community and sharing free, accessible software to let everyone have a world class auth experience but also need to build a sustainable business; there's obviously a tension there. We're striving to be transparent about this tension and the decisions needed. At this point we've determined that MFA as outlined above is a premium feature. Any type of “account edit” forms that we build into FusionAuth itself are going to fall into the “Advanced Forms” feature and that’s already a premium offering (see https://fusionauth.io/features/advanced-registration-forms/ for more). This fact makes the MFA forms an even more natural fit for paid editions.

If you'd like to contribute an example of a self service MFA page which you've already built out to make other's integrations with FusionAuth easier, we'd be happy to share it with others in the community. We typically use the Apache2 license for our example projects.

mooreds avatar Nov 03 '20 21:11 mooreds

Wanted to add this link to the forum, where we mention the effect that the work related to this issue will have on existing MFA functionality: https://fusionauth.io/community/forum/topic/689/upcoming-mfa-changes

mooreds avatar Dec 27 '20 00:12 mooreds