|
| 1 | +3. 2FA for Course Team Accounts |
| 2 | +----------------------------------------- |
| 3 | + |
| 4 | +Status |
| 5 | +------ |
| 6 | + |
| 7 | +Proposed |
| 8 | + |
| 9 | +Context |
| 10 | +------- |
| 11 | + |
| 12 | +Course team accounts have a great deal of access to and control over sensitive information as well as the ability to run arbitrary Javascript on the LMS. An attacker who compromises an educator account could do a large amount of damage. To protect our learners (and our reputation) we should require 2FA or other enhanced account security for all accounts with these elevated permissions. |
| 13 | + |
| 14 | +An attacker should find it difficult to gain access to the privileged aspects of an educator's account (even if in possession of their password). |
| 15 | + |
| 16 | + |
| 17 | +Proposed Solutions |
| 18 | +------------------ |
| 19 | + |
| 20 | +Option 1: Enable Two Factor Authentication (2FA) |
| 21 | + |
| 22 | +Option 2: Ask users for their password before specific restricted actions on site |
| 23 | + |
| 24 | +Option 3: Reset password after a specific time period |
| 25 | + |
| 26 | + |
| 27 | +Decision |
| 28 | +-------- |
| 29 | + |
| 30 | +We have decided to go with Option 1. We will enable **Two Factor Authentication** (2FA) for user accounts that belong to course teams (in some cases these can be staff accounts as well). |
| 31 | + |
| 32 | +This change can be accommodated within our current login flow. A high level flow of this process is as follow: |
| 33 | + |
| 34 | +- A user belonging to a course team will authenticate themselves like they currently do, either by providing login credentials or by SSO. |
| 35 | +- Once they have authenticated successfully they will be authenticated by a 2FA method |
| 36 | +- After successful verification of 2FA code, assign a session to user. |
| 37 | + |
| 38 | +Why choose 2FA? |
| 39 | +*************** |
| 40 | + |
| 41 | +- It is a conventional way to secure user accounts. |
| 42 | +- We can protect staff users at the first step they take on our site i.e authentication. |
| 43 | +- Development wise it will not require extensive effort as compared to the second option. |
| 44 | + |
| 45 | + |
| 46 | +Two Factor Authentication approaches |
| 47 | +************************************ |
| 48 | + |
| 49 | +- Email Token |
| 50 | +- Sms Token |
| 51 | +- Push Based 2FA |
| 52 | +- TOTP |
| 53 | +- U2F Security Keys |
| 54 | + |
| 55 | + |
| 56 | +Comparison |
| 57 | +********** |
| 58 | + |
| 59 | +.. list-table:: **Comparison of 2FA methods** |
| 60 | + :widths: 10 15 15 15 |
| 61 | + :header-rows: 1 |
| 62 | + :stub-columns: 1 |
| 63 | + |
| 64 | + * - Types |
| 65 | + - Intro |
| 66 | + - Pros |
| 67 | + - Cons |
| 68 | + * - Email Token |
| 69 | + - Send a token to the registered email address and verify the token, during login. |
| 70 | + - - Works fine if the email is secured |
| 71 | + - Extra device not needed |
| 72 | + - We already have user email so we will not be requiring any personal information from the user. |
| 73 | + - - Vulnerable if password is reused. (most users keep same password) |
| 74 | + - Vulnerable if device is compromised (malware attack) |
| 75 | + - Not secured as other 2FA methods. |
| 76 | + - Email delivery concern. |
| 77 | + * - SMS Token |
| 78 | + - Send a token to the registered mobile number and verify the token, during login. |
| 79 | + - - No need to install extra app |
| 80 | + - Works fine if mobile network is not ported |
| 81 | + - - Vulnerable to targeted attacks like social engineering and number porting etc. |
| 82 | + - Requires a cell phone. |
| 83 | + - Privacy concern (people not comfortable giving phone number) |
| 84 | + - Cannot use if phone is dead or unable to reach signals |
| 85 | + - We will be getting a mobile phone number ( a new info) so we will be needing compliance approval. |
| 86 | + * - Push Based |
| 87 | + - Send a push notification on your trusted device, the prompt will ask for accept and denial. |
| 88 | + - - Secured |
| 89 | + - Convenient |
| 90 | + - Time saving |
| 91 | + - - Cannot use single app for multiple sites |
| 92 | + - Requires signal and connection |
| 93 | + - Cannot use if phone is dead |
| 94 | + - Requires custom integrations from providers. |
| 95 | + * - U2F |
| 96 | + - Using small USB, NFC or Bluetooth Low Energy (BTLE) devices often called “security keys.” To set it up on a site, you register your U2F device. And then tap on the device when logging in. |
| 97 | + - - Secured |
| 98 | + - Can use same U2F device for multiple sites |
| 99 | + - - Needs a device |
| 100 | + - Cost |
| 101 | + - Support (only chrome supports U2F currently) |
| 102 | + - NFC only available on android mobiles |
| 103 | + - Vulnerable to physical theft of device. |
| 104 | + * - TOTP |
| 105 | + - Use an authenticator app on another phone to generate time-based codes locally based on secret keys. |
| 106 | + - - Secured |
| 107 | + - Generate codes locally |
| 108 | + - Time based code (valid for some seconds) |
| 109 | + - Standardized |
| 110 | + - Does Not require signal or connection therefore not vulnerable to social engineering attacks like number porting. |
| 111 | + - Some authenticator apps do not require a mobile device either. |
| 112 | + - Does not require any personal information from user. |
| 113 | + - - Cannot use if phone is dead |
| 114 | + - Not convenient (need to type code within a time frame) |
| 115 | + - Vulnerable if the mobile is compromised and TOTP for the website has been set up on the same mobile with the app. |
| 116 | + |
| 117 | + |
| 118 | +Preferred Method |
| 119 | +---------------- |
| 120 | + |
| 121 | +We have **TOTP** (Time-based on time password) as preferred two-factor authentication method. |
| 122 | + |
| 123 | +**TOTP** |
| 124 | + TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor. (ref). |
| 125 | + |
| 126 | + |
| 127 | +Issues with previous approach |
| 128 | +------------------------------ |
| 129 | + |
| 130 | +Previously our approach was to either reduced session expiration time or go with 2FA and Password reset after some time simultaneously but there were some problems with this approach: |
| 131 | + |
| 132 | +- Reducing session expiration to 2 weeks from 4 weeks was not making a big difference and if we reduce it to 1 day then it was an issue for course teams since they are normally making changes that might span over a few days and they might lose those edit if they don't save them as draft. |
| 133 | + |
| 134 | +- Resetting passwords often makes people more likely to pick simple passwords. Also we should avoid doing password resets except in cases of known compromise. |
| 135 | + |
| 136 | +Based on these reasoning, we decided to look into other kinds of 2FA. |
| 137 | + |
| 138 | + |
| 139 | +Consequences |
| 140 | +************ |
| 141 | + |
| 142 | +Adds an additional step for some users which can negatively affect the user experience. |
| 143 | + |
| 144 | + |
| 145 | +References |
| 146 | +---------- |
| 147 | + |
| 148 | +Corresponding Security Ticket: |
| 149 | +https://2u-internal.atlassian.net/browse/SEG-96 |
| 150 | + |
| 151 | +Detailed analysis of all security enhancements options provided above can be found here: |
| 152 | +https://openedx.atlassian.net/l/c/3HKHjZY4 |
0 commit comments