MFA code request is blocking website

[shbchk]

EE 7.2.9

With MFA enabled, a user can face this instead of page content:

But after reloading this request is gone.

How to reproduce:

1. Log in to your CP (tick the "Keep me logged in" checkbox). Close the tab, but not the browser. After an hour open any page of your website and see the MFA request instead of the content.

2. Log in to your CP (keep the "Keep me logged in" checkbox unchecked). Open any page. Do not close it. After an hour you will see the password request in a modal. Log in using this modal, and you will see the MFA request in the same modal. Open a page in a new tab - you will see the blocked website.

[intoeetive]

At a first glance, this behavior seems correct to me.

You're getting past the first authorization step (password) but not completing the second step (code). Therefore when you try to access the CP or content, you're being presented with the dialog.

When you reload the MFA dialog page, you're getting logged out - this is expected behavior as the authorization was not completed

[shbchk]

Well, not exactly.

When it's the first way to reproduce this behavior (log in and come back later), there are no password requests, just a blocked page.

And website pages are supposed to be accessible by anyone, regardless of authorization. It's just wrong to block them. Maybe, MFA request should pop up in a modal with a close button?

[intoeetive]

This behavior is correct:

But after reloading this request is gone.

So the page IS accessible - but the user needs to be in either Logged In (both authorization steps complete) or Logged Out state (if you reload the MFA dialog without entering the code, the user gets logged out)

[shbchk]

I have to disagree :) A public website page does not require any user to be logged in, so the user doesn't need to be logged in or logged out to see it. When he logged out, he shouldn't be able to access profile, cp or front end editing tools, but page content should be always accessible.

And, btw, if one checked the "remember me" checkbox, why EE still asks him for MFA?

[shbchk]

Maybe there is some misunderstanding here.

How to reproduce:

1. Fully (with both password and MFA code) log in to your CP (tick the "Keep me logged in" checkbox). After logging in and MFA code close the tab, but not the browser. After an hour open any page of your website and see the MFA request instead of the content.

[intoeetive]

Do you have other tabs with CP opened at this time? Or just the frontend pages?

[shbchk]

No, no EE pages at all.

1. Open a tab with EE CP. 2. Log in. 3. Close this tab. 4. Open the website's index page an hour later.

That's all. Checked several times on a local test EE installation just to be sure :)

[nep]

Hi, I'd like to add my $0.02. ($0.04)

1. The idea of MFA is to confirm the identity of the user with a second type of authentication, not to REconfirm the identity of the user at a different time than the password.

2. Once I'm logged in, if I indicate (check the box) that I want to stay logged in, I don't just mean I don't want to re-enter my password, I mean I want to not be challenged again.

3. The MFA request is, on balance, MORE of a hurdle than the password, so if you're making a process asking me to REconfirm who I am, I'd rather it be the password than the MFA token.

4. The MFA dialog doesn't have any way of cancelling -- a close box, a CANCEL, anything is better than just this dialog that appears and is confusing, unbranded, and unexpected until you experience it.

So overall, I think that this is a bad idea on public pages, and, in order of preference, I suggest:

• it shouldn't come up at all unless it's part of a login
• the password should be what comes up to re-confirm identity
• you shouldn't need to reconfirm with MFA if you've checked "Remember Me"
• and regardless of the decisions above, the MFA default template should have a way to cancel out and a link to the home page, the way other site alerts do, like when you're submitting a form and get an error.

[robinsowell]

Linking in this discussion as well, per remember me functionality #3169

[intoeetive]

Thinking about it more, I do agree that MFA should not be required when you re-confirm login with password

And it definitely should not show up when "remember me" is checked

I'm adding the above PR as a way to cancel the dialog, however there's more work required

[TomJaeger]

pulling @matthewjohns0n into conversation for reference as well.