For general locked-out users (those without admin-like roles) I think it's acceptable to relay trust to their email provider. If locked out, these people could initiate a TFA reset process where they're emailed a link that once clicked (and after verifying correct password) simply disables TFA for their account. This process could be limited to certain users (roles or code-based).

Provide a TFA plugin (for final tfa login form that can not be allowed for admin roles & module maintainer) and menu callback that validates link, user password, and does tfa disable.

CommentFileSizeAuthor
#9 interdiff-6-9.txt1.59 KBbanviktor
#9 2497389-9-self-service-reset.patch12.72 KBbanviktor
#7 interdiff-5-6.patch2.06 KBbanviktor
#7 2497389-6-self-service-reset.patch12.63 KBbanviktor
#5 2497389-5-self-service-reset.patch12.79 KBbanviktor

Comments

drumm’s picture

drumm
he/him
Location NY, US
commented
Issue tags: +affects drupal.org
coltrane’s picture

coltrane
he/him
commented
Related issues: +#2481253: Allow Drush uli login command to bypass TFA

Linking to https://www.drupal.org/node/2481253 since it has a similar purpose, perhaps could be unified.

pjcdawkins’s picture

pjcdawkins commented

Just so long as this is entirely optional (based on permissions?), as it weakens the point of TFA.

coltrane’s picture

coltrane
he/him
commented

Yes, it'll be an optional plugin (as well as per role) and it can form alter the admin page so as to warn about the security risk of enabling.

banviktor’s picture

banviktor commented
Status: Active » Needs review
StatusFileSize
new 2497389-5-self-service-reset.patch12.79 KB

Here is a solution which uses the link generation algorithm from my #2481253: Allow Drush uli login command to bypass TFA patches (=> valid until login or 24 hours - configurable). The plugin is optional and when enabled a set of roles can be selected that can't use this plugin (defaults to administrator).

I had to extract the TFA disable process into tfa_basic_disable_tfa($account) to avoid code duplication.

banviktor’s picture

banviktor commented

Should the default excluded roles be everything but the authenticated role?

banviktor’s picture

banviktor commented
StatusFileSize
new 2497389-6-self-service-reset.patch12.63 KB
new interdiff-5-6.patch2.06 KB

Default excluded roles are every role except authenticated. Also a watchdog event is recorded on a succesfull reset link access.

banviktor’s picture

banviktor commented
Status: Needs review » Needs work

It wasn't such a bright idea working on the 2 issues simultaneously while sharing some of the solution's code. I will get back to this when #2481253: Allow Drush uli login command to bypass TFA is committed.

banviktor’s picture

banviktor commented
Status: Needs work » Needs review
StatusFileSize
new 2497389-9-self-service-reset.patch12.72 KB
new interdiff-6-9.txt1.59 KB

Keeping up with the changes made in #2481253: Allow Drush uli login command to bypass TFA.

Also added a tfa_logout() line in TfaBasicReset::validateForm().

banviktor’s picture

banviktor commented
Status: Needs review » Postponed

Postponing until #2481253: Allow Drush uli login command to bypass TFA gets committed.

Leeteq’s picture

Leeteq commented
Related issues: +#2482851: Policy on resetting accounts after TFA is enabled.
edvanleeuwen’s picture

edvanleeuwen
Primary language Dutch
Location Waalwijk
commented

Tested and verified in combination with #2481253: Allow Drush uli login command to bypass TFA. Tried giving that a bump to be committed.