2

I'm upgrading the authentication of an application from self hosted forms authentication to OpenID Connect through Azure Active Directory B2C (AAD B2C) and have found a few pages which re-prompt the user for a password before a transaction is submitted. It's a financial application.

AAD B2C doesn't support the Resource Owner Password Credentials Grant flow so I'm forced to look for alternatives.

I feel like like re-prompt forces a user to think about the transaction (as opposed to accidentally hitting a button) and protects the application from a user who is authenticated, but walks away from their machine and leaves it unlocked.

What is the common approach to this problem? Email a PIN to the user, secret question, reduced session timeout?

Kye
  • 153
  • 4
  • The method of authentication is going to depend on a number of factors. How often is a user going to he prompted to reauthenticate? Are these users likely to be on shared computers? If this is simply a way of slowing the user down so they don't click blindly you could have a delay before the button is accessable to he pressed, or require the user to type a word like "yes" or "accept". What is the current time out? – Daisetsu Mar 10 '19 at 18:14
  • Have you thought about MFA here? – securityOrange Mar 10 '19 at 20:15

1 Answers1

1

Is re-prompting a user for credentials an effective measure to prove a user's identify

Yes, this is quite common and generally more effective than not.

Typically this is used to assert that the user sitting at the keyboard is the same person that logged into the app at some point in the past. This prevents scenarios where a user has left their computer unlocked, or left themselves logged in on a public terminal, or where the user is accessing the site through a weaker form of authentication like a "magic" login link in an email.

There are lots of other solutions but the only one you get for free (by virtue of having already collected the email and password) is to challenge the user to re-enter their password.

and have found a few pages which re-prompt the user for a password before a transaction is submitted ... AAD B2C doesn't support the Resource Owner Password Credentials Grant flow so I'm forced to look for alternatives.

You should definitely not use the Resource Owner Password Credentials Flow for this purpose, which allows an RP to collect a plaintext password and forwards it to he IDP for verification.

OIDC provides a purpose-built alternative: You should perform a new authorization flow using the prompt parameter to instruct the IDP to force the user to re-enter their password.

Initiate a new Code Flow but include prompt=login, and the IDP will (or at least SHOULD according to the spec) reauthenticate the user.

prompt and the values it supports is defined in the OIDC core spec under 3.1.2.1. Authentication Request.

user229044
  • 461
  • 3
  • 8