Difference between revisions of "User:Brad Linden/Login MFA"
Jump to navigation
Jump to search
Brad Linden (talk | contribs) (initial spec for viewer MFA feature requirements) |
Brad Linden (talk | contribs) |
||
Line 1: | Line 1: | ||
== New Parameters == | == New Parameters == | ||
Any viewer that does not supply these fields will be interpreted as not supporting MFA features | |||
; "token" | ; "token" | ||
: The user's entered Time based One Time Password (TOTP) token. This should be the empty string for login attempts that are not responding to an MFA challenge. | : The user's entered Time based One Time Password (TOTP) token. This should be the empty string for login attempts that are not responding to an MFA challenge. | ||
Line 6: | Line 8: | ||
: The saved hash value and timestamp from a previously successfully answered MFA challenge. This should be the empty string initially. | : The saved hash value and timestamp from a previously successfully answered MFA challenge. This should be the empty string initially. | ||
== New Returned Fields == | == New Returned Fields == |
Revision as of 11:25, 4 February 2022
New Parameters
Any viewer that does not supply these fields will be interpreted as not supporting MFA features
- "token"
- The user's entered Time based One Time Password (TOTP) token. This should be the empty string for login attempts that are not responding to an MFA challenge.
- "mfa_hash"
- The saved hash value and timestamp from a previously successfully answered MFA challenge. This should be the empty string initially.
New Returned Fields
- "mfa_hash"
- The optional hash value and timestamp from a successfully answered MFA challenge. This should be saved in secure storage scoped to the user and current grid similar to how passwords ar be stored. Currently the timestamps expire after 30 days. Subsequent login attempts for the same user and grid combination should fill in this value in the "mfa_hash" parameter of the login request.
New Errors
- login failure reason - mfa_challenge
- A new failure reason that should be handled by displaying a prompt to enter the TOTP token, and retrying the login request with that value in the "token" parameter.
- login failure message - LoginFailedAuthenticationMFARequired
- message to be presented to the user when prompting for token, for example:
To continue logging in, enter a new token from your multifactor authentication app. If you feel this is an error, please contact support@secondlife.com
- login failure message - LoginFailedAuthenticationFailedMFA
- new login failure request similar to password failure request. when mfa is required this indicates that either the password or TOTP token entered was not correct. For example:
Sorry! We couldn't log you in. Please check to make sure you entered the right * Username (like bobsmith12 or steller.sunshine) * Password * Token Also, please make sure your Caps Lock key is off.