User:Brad Linden/Login MFA
Jump to navigation Jump to search
Any viewer that does not supply these fields in its login requests will be interpreted as not supporting MFA features
- The user's entered Time based One Time Password (TOTP) token. This should be the empty string for login attempts that are not responding to an MFA challenge.
- The saved hash value and timestamp from a previously successfully answered MFA challenge. This should be the empty string initially.
New Returned Fields
- The optional hash value and timestamp from a successfully answered MFA challenge. This should be saved in secure storage scoped to the user and current grid similar to how saved passwords are stored. Currently the timestamps expire after 30 days. Subsequent login attempts for the same user and grid combination should fill in this value in the "mfa_hash" parameter of the login request.
- login failure reason - mfa_challenge
- A new failure reason that should be handled by displaying a prompt to enter the TOTP token, and retrying the login request with that value in the "token" parameter.
- login failure message - LoginFailedAuthenticationMFARequired
- message to be presented to the user when prompting for token, for example:
To continue logging in, enter a new token from your multifactor authentication app. If you feel this is an error, please contact firstname.lastname@example.org
- updated login failure message - LoginFailedAuthenticationFailed
- new login failure request similar to password failure request. when mfa is required this indicates that either the password or TOTP token entered was not correct. For example:
Sorry! We couldn't log you in. Please check to make sure you entered the right * Username (like bobsmith12 or steller.sunshine) * Password * Second Factor Token (if enabled) Also, please make sure your Caps Lock key is off.
New Debug Settings
- "MFAHash" - string
- This setting overrides the mfa_hash value stored for testing purposes. It is applied at login time, and will overwrite any saved mfa_hash value for the account that is logging in. This is typically used to set the mfa_hash value to "0" or some other value that is known to be invalid in order to force a new token challenge from the login server. It is non-persistent as a debug setting, but affects how the encrypted storage for the mfa_hash value is persisted. It must be set from the command line or from the Debug menu prior to logging in.