2 Factor Authentication -> When to Request it?

Question

I am wanting to implement 2FA in my application. I am a relatively new developer (~1 year Spring Boot / Android).

At the moment, my App uses Spring Security AuthenticationProviders to authenticate a user only by their username/password combo using BCrypt as the hashing algo.

With generally looking online, I can't seem to find a "clear" when to challenge a user for a 2FA code.

My questions are:

1. Under what circumstance(s) do you request a 2FA code?
   Only if the UserAgent string has not been seen for that user before ? The UserAgent && IP not a seen combination before?...Or when/with what combination? (Machine learning out of question...noobie here).
2. Should the user account be locked/disabled always requesting a 2FA code for EVERY subsequent login attempt if the first 2FA code inputted fails until a correct 2FA/Username/Password combination is given.
3. I guess a rate limit on how often a new 2FA is generated is a standard to prevent some form of DOS attack?

Any links or clearer "best practice" would be greatly appreciated!
Thank you.

Answer 1

In my experience, a clear "best practice" for when to prompt for 2FA does not exist. What you're really asking about is a "risk algorithm" to determine when a login or session resumption is "high risk" and should be challenged with 2FA. Different vendors have different algorithms which are treated a bit like trade secrets. There are in fact companies who do nothing but sell MFA platforms, and their entire business value is about having a clever risk algorithm for when to prompt for 2FA.

So IMO unfortunately there is no simple answer; but there's lots of room for creativity here!

Some "factors" to think about:

• Time-based: how long since I last saw them?
• IP / user-agent: is this a machine I recognize them from?
• Geo-IP: Is this a location I recognize them from?

The longer you think about it, the more factors you can come up with that might be relevant to the risk algorithm.

To make it even more confusing, some apps have a low barrier to, for example, resuming a previous session, but will prompt you for a full 2FA flow if you access your account and billing page.

Answer 2

It's hard to answer such a question in general. It depends on several factors. The first thing you should do is a cyber threat analysis. What kind of thread are you trying to prevent.

2FA (or multi-factor in general) adds an extra layer of security. While the username and password is something a user knows and thus can be stolen or compromised, a second factor is usually something they have/own, usually their phone *.

You said you are an Android developer so if you protect the App with the 2FA token, it adds little security if the Phone is stolen. It does help a lot though if someone knows the username /password and tries to access your app on a different phone.

1. You should check the 2FA code when the user fully authenticates, that is loggs in with username and password. Logins via Remember Me Token can be considered secure and from a known device, if you store the tokens in a secure many and communicate only via https.

2. Typos happen and if you use time based tokens (such es TOTP), there is also a chance that the time slice in which the token is valid closes while the request is in transit. So I would allow the usual 3 attempts. Any more invalid 2FA codes are definitely a sign something is wrong.

3. Again, depends on the kind of tokens used. TOTP tokens are by default valid for 30 Seconds. If you send tokens via email or text/sms, they are valid for longer and must expire internally. It depends on your use-case but too many login attempts and too many requested 2FA tokens are definitely odd.

---

*) technically, with soft-token it's still something they know because it really is just a different code saved on their device.