No Code Attached Yet J4 Issue bug
avatar jiweigert
jiweigert
22 Oct 2020

Testing 2FA-Authentication of Joomla 4 beta 5 on a new created site http://blubb.joomla.com via launch.joomla.com .
With nothing changed, except Enabling 2FA-Plugin, setting active for both Front and Backend and enabled 2-FA Authentication for
User (Super Users role).

  • Tried to login via Backend with Username and Password and 2FA-Auth code (worked)

  • Tried then to login with Username and password but 2FA-Code empty.

System informed me about invalid Secret Code. (Can be improved, it was not invalid, it was empty)
Because Username and passwordfield were signaled as good (green border), the Secret Code field remained grey/ blueish.
and the coursor were placed in the username field.

Both should be improved for the user indicate what's missing (Secret Code) with a red border and also, to make it easy to enter the missing code, by placing the cursor / focus on the Secret Code field.

Additional improvement can be a differentiate Message for an not entered (empty) Secret Code and for an invalid Secret Code entered.

Steps to reproduce the issue

  1. Setup a default / new installation of Joomla beta 5
  2. Login into Backend
  3. Enable 2FA-Authentication (Both)
  4. Enable 2FA-Authentication for user
  5. Logout
  6. Try Login into backend with correct user and passwort but without 2FA-Code.

Expected result

System Message: [Warning] The Secret Code was empty.
(When Username & Passwort is correct but 2FA-Code missing) Focus is set to 2FA-Field and field validation is set to required (validation-failed color).
no-2FA-code-expected

Actual result

System Message: [Warning] The two factor authentication Secret Key is invalid.
Focus is set on username-field, Username / PW-field has green-frame, 2FA-Field still grey-frame
screen shot 2020-10-22 at 10 13 40

System information (as much as possible)

Joomla! Version Joomla! 4.0.0-beta5-dev Development [ Mañana ] 15-September-2020 19:15 GMT
User Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Additional comments

I not checked Frontend-Login, but I expect same behavior

avatar jiweigert jiweigert - open - 22 Oct 2020
avatar joomla-cms-bot joomla-cms-bot - labeled - 22 Oct 2020
avatar jiweigert jiweigert - change - 22 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 22 Oct 2020
avatar jiweigert jiweigert - change - 22 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 22 Oct 2020
avatar jiweigert jiweigert - change - 22 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 22 Oct 2020
avatar jiweigert jiweigert - change - 22 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 22 Oct 2020
avatar jiweigert jiweigert - change - 23 Oct 2020
Title
Login: 2FA - UX -> no focus / no "required" on 2FA-field after login-attempt with user+pw only
[4.0] Login: 2FA - UX -> no focus / no "required" on 2FA-field after login-attempt with user+pw only
avatar jiweigert jiweigert - edited - 23 Oct 2020
avatar jiweigert jiweigert - edited - 24 Oct 2020
avatar jiweigert jiweigert - change - 24 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 24 Oct 2020
avatar jiweigert jiweigert - change - 24 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 24 Oct 2020
avatar jiweigert
jiweigert - comment - 24 Oct 2020

The reason is a valid form-control-success

<input name="secretkey" autocomplete="one-time-code" id="mod-login-secretkey" type="text" class="form-control valid form-control-success" aria-invalid="false">

instead of a invalid form-control-error on the input field.
I would expect that when 2FA-Check fails.

avatar jiweigert jiweigert - change - 24 Oct 2020
The description was changed
avatar jiweigert jiweigert - edited - 24 Oct 2020
avatar PhilETaylor
PhilETaylor - comment - 24 Oct 2020

Try Login into backend with correct user and passwort but without 2FA-Code.

2FA is an OPTIONAL INPUT ALWAYS, even when "enforce 2fa" is enabled... This is by design.

avatar jiweigert
jiweigert - comment - 24 Oct 2020

Phil Taylor notifications@github.com schrieb am Sa., 24. Okt. 2020, 19:57:

Try Login into backend with correct user and passwort but without 2FA-Code.

2FA is an OPTIONAL INPUT ALWAYS, even when "enforce 2fa" is enabled...
This is by design.

It's only optional, when you don't enable it.
On user's perspective, when enabled it is required to be filled out, it
should act like one login form.

If something is missing but required for login, it should be signaling with
class invalid that there was nothing entered or that what was entered,
was invalid.

And good user guidance is, to lead the user to the missing field by setting
the cursor into that field.

That behaviour you have in every good form today.

But the least thing what should be changed, is the wrong class of valid
and form-control-success, which is plain wrong and contrary to the system
message.

avatar PhilETaylor
PhilETaylor - comment - 24 Oct 2020

Trust me... I have banged my head enough with this project about 2FA. Do your research in this issue tracker.

It's only optional, when you don't enable it.

The secret key field is optional ALWAYS. Fact. The site can have "Enforce 2FA" enabled, but STILL the secret key is optional, and login is allowed without providing the secret key - by design - to allow users to login and set up their 2fa.

If something is missing but required for login, it should be signaling

Except that the system doesn't know "its required" for that user, until that user is already authenticated...

And good user guidance is, to lead the user to the missing field by setting the cursor into that field.

That might be able to be done... but probably not with the existing form validation.

avatar jiweigert
jiweigert - comment - 24 Oct 2020

You're right that the field is optional, when not setup by the user.

Maybe my description was not clear:

I used a user with already setup 2FA.

I am talking about the login form -->after<--
an unsuccessful login attempt and redirect to the login form because of a missing/ invalid 2FA Code.

And I trust you, Phil. ?

In that case, the 2FA Code is required, otherwise the 2FA Code would make no sense, because he could always login in with username and Password.

Test case 1:
testing with the same user, entering username and password, no 2FA Code gives:

Result:
Warning Two Factor code is invalid (should be "was empty" or not "was not filled out")
No indication (red border) of the Secret Code Field, no cursor in that field

Test case 2:
testing with the same user, entering username and password, invalid 2FA Code gives:

Result:
Warning Two Factor code is invalid (correct)
No indication (red border) of the Secret Code Field, no cursor in that field

Test case 3:
testing with the same user, entering username and password, valid 2FA Code gives:

Result:
User logged in successfully.

avatar jiweigert
jiweigert - comment - 24 Oct 2020

And yes, the system knows, that the user I used to login has the 2FA enabled, because I used the correct username and the correct password,
otherwise it would not show me the "Two Factor code invalid" message after the redirect to the login form to provide the missing Two Factor code.
Also it set the class "valid" and "form-control-success" to both username and password field.
(And again: Also for the 2FA field, which is wrong)

avatar jwaisner jwaisner - change - 2 Nov 2020
Labels Added: J4 Issue
avatar jwaisner jwaisner - labeled - 2 Nov 2020
avatar brianteeman
brianteeman - comment - 24 Nov 2020

And now you have just revealed that this user has 2fa

Sorry, but this current code is correct whilst it is possible to have 2fa enabled optionally per user

avatar jiweigert
jiweigert - comment - 24 Nov 2020

Sorry but I said it already in the testing instruction that the 2FA-plugin
has to be enabled and setup/ enable for the user
and "not just revealed".

When the system already can tell me that my 2FA-code is missing/ wrong/
invalid (because I was to slow)
after redirect me to the login form again,
where is the problem to set the focus to the 2FA-Field as also set this to
"invalid"
(red border) to make it easy as possible to enter the code?

And no the code is not correct for the case of a failed login-attempt for a
user which has 2FA-enabled.

Brian Teeman notifications@github.com schrieb am Di., 24. Nov. 2020,
23:40:

And now you have just revealed that this user has 2fa

Sorry, but this current code is correct whilst it is possible to have 2fa
enabled optionally per user


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#31204 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AQNZU5Z2LIGQXR2SOLFHRLLSRQY6LANCNFSM4S27MDVA
.

avatar brianteeman
brianteeman - comment - 24 Nov 2020

You're missing the point that both Phil and I have told you. It is possible to have users on your site both with and without TFA. What your proposing is a security issue as you are enumerating the existence of a user and if they are using tfa

avatar jiweigert
jiweigert - comment - 25 Nov 2020

And you're missing the point that I'm not talking about first login but
about behaviour after a failed login attempt of a user with enabled two
factor.
And obviously the system can put out a system message "invalid 2FA Code"
but can not set 2FA field to invalid and set focus there in that case?

That's bullshit, sorry.

And it seems you have not even checked, if the issue exist about I'm
talking about.

Or are you assuming no user with enabled 2FA do ever enter invalid/wrong
2FA Codes?

Brian Teeman notifications@github.com schrieb am Mi., 25. Nov. 2020,
00:54:

You're missing the point that both Phil and I have told you. It is
possible to have users on your site both with and without TFA. What your
proposing is a security issue as you are enumerating the existence of a
user and if they are using tfa


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#31204 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AQNZU5ZFDXK3O4VBITYWRUTSRRBUNANCNFSM4S27MDVA
.

avatar brianteeman
brianteeman - comment - 25 Nov 2020

Can't help you then. You clearly don't understand user enumeration

avatar jiweigert
jiweigert - comment - 25 Nov 2020

And no, it's not a security risk as the system already tell it with a
system Message when a 2FA code is invalid.
And invalidating the field plus focus is nothing else!

It would be a security risk when a hacker have already a correct username
and password and can simply bruce force the 2FA-Code. I really hope there
are already mechanisms implemented to prevent this case

Brian Teeman notifications@github.com schrieb am Mi., 25. Nov. 2020,
00:54:

You're missing the point that both Phil and I have told you. It is
possible to have users on your site both with and without TFA. What your
proposing is a security issue as you are enumerating the existence of a
user and if they are using tfa


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#31204 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AQNZU5ZFDXK3O4VBITYWRUTSRRBUNANCNFSM4S27MDVA
.

avatar jiweigert
jiweigert - comment - 25 Nov 2020

You state something with false claims of a "security risk" which is simply
not true.
When you're such an expert in security, then tell me why it should be less
risky to print out a system message of invalid 2FA-Code but it is more
risky to set the involved field to invalid?

On that explanation I'm really curious.

Brian Teeman notifications@github.com schrieb am Mi., 25. Nov. 2020,
01:14:

Can't help you then. You clearly don't understand user enumeration


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#31204 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AQNZU556B35YJ6KREXGX5HTSRRD4TANCNFSM4S27MDVA
.

avatar Hackwar Hackwar - change - 20 Feb 2023
Labels Added: No Code Attached Yet bug
Removed: ?
avatar Hackwar Hackwar - labeled - 20 Feb 2023

Add a Comment

Login with GitHub to post a comment