0

I'm currently implementing 2FA and ask our users that login with their email/pass to enter their code when 2FA is enabled. This is all good.

But I also offer a "I forgot my password" access that sends a one-time login link by email to the user when the email entered matches the account we have.

Now, I wonder if it is important to also ask for the 2FA code when the user clicks that link since, by default, his email account should be secured.

So, when clicking on the link received by email, should I ask for the 2FA token before allowing access to his account, or should I redirect them directly into their account since "email is safe enough" ?

Thank you for your input.

Cyril N.
  • 2,649
  • 2
  • 18
  • 28
  • *"... since, by default, his email account should be secured."* - Is this an explicit requirement you have on the user or is this only an assumption you are making? And what about the mail transport - is the message end-to-end encrypted (i.e. PGP or S/MIME) or can you otherwise guarantee that it does not get sniffed on the way to the recipient? – Steffen Ullrich Aug 24 '20 at 15:09
  • @SteffenUllrich Yeah, this kind of answer the question ;) I can't guarantee these. – Cyril N. Aug 24 '20 at 15:23

1 Answers1

2

... since, by default, his email account should be secured.

Unless you are in a fully controlled environment you cannot make this assumption. For one you cannot guarantee that the mail cannot be watched and sniffed by someone in between, unless you explicitly use end-to-end encryption with PGP or S/MIME. And even if the mail arrived without problems at the users mailbox you can neither assume that this is a secure storage nor the the users account was not compromised.

In other words: a simple mail is not as strong as password + 2FA and thus should not be considered a replacement for this.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424