automatically use email address as 2fa provider #4317

stefan0xC · 2024-02-04T13:00:49Z

When an organization policy requires a 2FA provider the registration via the organizations invite link should add the email address as 2FA provider. You can also skip the policy check if you set EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=true (e.g. so that email provider is added to users that are invited via the /admin panel).

This should fix #4303, however I've also added a way to ensure that the email address will be used automatically as fallback 2FA provider whenever needed (which you have to opt in by setting EMAIL_2FA_AUTO_FALLBACK=true). I'd consider this an experimental feature as it would be Vaultwarden only.

If you don't want your users to enable email 2FA provider at all, you should set _ENABLE_EMAIL_2FA=false to disable email as 2FA provider entirely.

tessus · 2024-02-04T18:55:23Z

May I ask, why email should be used as a default 2FA? IMO there are 2 MFA systems that are not really safe: email and SMS (text). I believe it's more than just a personal opinion, but looking at the SIM awap attack and other known attack vectors a rather proven standpoint.

There's a reason why there are standards like TOTP or HW keys.

As a SW that prides itself to be secure out of the box with zero knowledge, setting a default 2FA method, which is not the safest choice is detrimental to its mission and goal.

I hope this was not too harsh. If so, I apologize in advance.

P.S.: Why not use TOTP enrollment as the default?

stefan0xC · 2024-02-04T20:00:16Z

May I ask, why email should be used as a default 2FA?

That's the only one that can be setup at the moment and before having an account. Also that's how the Bitwarden server does it: https://github.com/bitwarden/server/blob/472b1f8d44c1e223aa2e36737650922ef716a004/src/Core/Services/Implementations/UserService.cs#L318-L331

Why not use TOTP enrollment as the default?

It's currently not possible. Presumably the other 2FA providers require changes to the web-vault. If this were supported by the client, e.g. part of the signup form that would be preferable of course. (The auto fallback would not work for most steps because it would require the user's input.)

As a SW that prides itself to be secure out of the box with zero knowledge, setting a default 2FA method, which is not the safest choice is detrimental to its mission and goal.

Personally, I think that having email 2FA as default provider is better than none (which is why I've also added the option to automatically fallback when needed). Since this might not be for everyone, I chose to make both Vaultwarden-only features opt-in (and marked the auto fallback as risky). So by default it mirrors the way Bitwarden does it and only sets it up if there's an org policy that requires it. And like I said it's possible to disable email as 2FA provider, so if you are security minded you can (and probably should?) harden your instance that way.

I mean, the auto fallback method might also be too convenient because it might not be necessary to setup email 2FA here:

vaultwarden/src/api/core/organizations.rs

Lines 1097 to 1099 in 897bdf8

    
           Err(OrgPolicyErr::TwoFactorMissing) => { 
        
               err!("You cannot join this organization until you enable two-step login on your user account"); 
        
           }

because here the user is in control and they had the option to setup a 2FA provider beforehand.

I hope this was not too harsh. If so, I apologize in advance.

No worries. Thanks for the feedback.

tessus · 2024-02-04T20:43:00Z

Thanks a bunch for the explanation. I didn't know the flow, but just remembered that I can setup TOTP as a 2FA in the web vault.

Well, at least email is better than SMS, if one wants to access their account when travelling. It's highly annoying how banks and others send a challenge text to your phone, which makes no sense when out of the country and not having the SIM active to avoid extremly high roaming expenses. I also love how BWAWG or Bank Austria handle online banking. The 2FA is bound to their apps and your phone. Good look switching your phone while not being in the country. You won't have access to your online banking anymore. I live in Canada, but still have accounts with those 2 banks. I am about to get a new phone, and won't be able to access my bank accounts anymore. Sorry the rant. It's off-topic. You can hide this comment. ;-)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [vaultwarden/server](https://togithub.com/dani-garcia/vaultwarden) | minor | `1.30.5` -> `1.31.0` | --- ### Release Notes <details> <summary>dani-garcia/vaultwarden (vaultwarden/server)</summary> ### [`v1.31.0`](https://togithub.com/dani-garcia/vaultwarden/releases/tag/1.31.0) [Compare Source](https://togithub.com/dani-garcia/vaultwarden/compare/1.30.5...1.31.0) #### Major changes and New Features - Initial support for the beta releases of the new native mobile apps - Removed support for WebSocket traffic on port 3012, as it's been integrated on the main HTTP port for a few releases - Updated included web vault to 2024.5.1 #### General mention Bitwarden has changed the push API endpoints which affects the EU region endpoint users. So if you use the push functionality and use the EU region you need to make some changes. You have to update `push.bitwarden.eu` to `api.bitwarden.eu`. This is also an issue with any previous version of Vaultwarden. #### What's Changed - chore: remove repetitive words by [@one230six](https://togithub.com/one230six) in [dani-garcia/vaultwarden#4422 - Fix comment in events.rs by [@KrappRamiro](https://togithub.com/KrappRamiro) in [dani-garcia/vaultwarden#4408 - Improve JWT RSA key initialization and avoid saving public key by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4085 - Remove custom WebSocket code by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4001 - refactor: replace panic with a graceful exit by [@tessus](https://togithub.com/tessus) in [dani-garcia/vaultwarden#4402 - Small improvements around email change by [@Timshel](https://togithub.com/Timshel) in [dani-garcia/vaultwarden#4415 - Change timestamp data type. by [@gzfrozen](https://togithub.com/gzfrozen) in [dani-garcia/vaultwarden#4355 - Fix [#3624](https://togithub.com/dani-garcia/vaultwarden/issues/3624): fix manager permission within groups by [@matlink](https://togithub.com/matlink) in [dani-garcia/vaultwarden#3754 - automatically use email address as 2fa provider by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4317 - fix: typos by [@testwill](https://togithub.com/testwill) in [dani-garcia/vaultwarden#4440 - Update chrono and sqlite by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4436 - Update Rust and crates by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4445 - Use async verify for Yubikey by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4448 - update web-vault to v2024.3.1 (new vertical layout) by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4468 - Update crates and some Clippy fixes by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4475 - Update Key Rotation web-vault v2024.3.x by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4446 - Update Crate and Rust by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4522 - Implement custom DNS resolver by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#3988 - Add extra (unsupported) container build arch's by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4524 - Pass in collection ids to notifier when sharing cipher. by [@kristof-mattei](https://togithub.com/kristof-mattei) in [dani-garcia/vaultwarden#4517 - improve access to collections via groups by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4441 - fix emergency access invites by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4337 - Some fixes for the new mobile apps by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4526 - Update Rust, crates and web-vault by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4558 - Improve Commentary Aesthetics by [@rich-purnell](https://togithub.com/rich-purnell) in [dani-garcia/vaultwarden#4549 - Optimize Dockerfiles by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4532 - also delete organization_api_key when deleting organizations by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4557 - Fix public api for domains with path prefix by [@FDHoho007](https://togithub.com/FDHoho007) in [dani-garcia/vaultwarden#4500 - Update crates by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4587 - Fix web-vault version in Docker(files/Settings) by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4575 - Update Alpine to version 3.20 by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4583 - differentiate external groups by organization id by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4586 - Remove old knowndevice route by [@Timshel](https://togithub.com/Timshel) in [dani-garcia/vaultwarden#4578 - Update admin interface dependencies by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4581 - Update rust and remove unused header values by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4645 - Update crates, web-vault and GHA by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4648 - Fix some nightly build errors by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4657 - Fix some more nightly errors and remove lint that will become an error by default by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4661 - Change API and structs to camelCase by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4386 - Fix cipher creation on new android app by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4670 - Remove mimalloc workaround by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4606 - Change some missing PascalCase keys by [@dani-garcia](https://togithub.com/dani-garcia) in [dani-garcia/vaultwarden#4671 - Fix collections and native app issue by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4685 - Fix duplicate folder creations during import by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4702 - Remove duplicate registry step by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4703 - add group support for Cipher::get_collections() by [@stefan0xC](https://togithub.com/stefan0xC) in [dani-garcia/vaultwarden#4592 - Switch registry cache compression algorithm to zstd by [@dfunkt](https://togithub.com/dfunkt) in [dani-garcia/vaultwarden#4704 - Update crates and web-vault by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4714 - Some fixes for emergency access by [@BlackDex](https://togithub.com/BlackDex) in [dani-garcia/vaultwarden#4715 #### New Contributors - [@one230six](https://togithub.com/one230six) made their first contribution in [dani-garcia/vaultwarden#4422 - [@KrappRamiro](https://togithub.com/KrappRamiro) made their first contribution in [dani-garcia/vaultwarden#4408 - [@testwill](https://togithub.com/testwill) made their first contribution in [dani-garcia/vaultwarden#4440 - [@kristof-mattei](https://togithub.com/kristof-mattei) made their first contribution in [dani-garcia/vaultwarden#4517 - [@rich-purnell](https://togithub.com/rich-purnell) made their first contribution in [dani-garcia/vaultwarden#4549 - [@dfunkt](https://togithub.com/dfunkt) made their first contribution in [dani-garcia/vaultwarden#4532 - [@FDHoho007](https://togithub.com/FDHoho007) made their first contribution in [dani-garcia/vaultwarden#4500 **Full Changelog**: dani-garcia/vaultwarden@1.30.5...1.31.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 10pm every weekday,every weekend,before 5am every weekday" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/NorkzYT/Wolflith).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

stefan0xC force-pushed the auto-enable-email-2fa branch from 958bc76 to a37c16b Compare February 4, 2024 13:09

stefan0xC force-pushed the auto-enable-email-2fa branch from 6755fe0 to 6587d0f Compare February 5, 2024 01:07

BlackDex approved these changes Feb 16, 2024

View reviewed changes

automatically use email address as 2fa provider

ac8e905

stefan0xC force-pushed the auto-enable-email-2fa branch from 6587d0f to ac8e905 Compare February 26, 2024 20:19

dani-garcia merged commit 79ce5b4 into dani-garcia:main Mar 17, 2024
5 checks passed

stefan0xC deleted the auto-enable-email-2fa branch March 17, 2024 21:35

ZhReimu pushed a commit to ZhReimu/vaultwarden that referenced this pull request Jul 9, 2024

automatically use email address as 2fa provider (dani-garcia#4317)

2e61d3d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

automatically use email address as 2fa provider #4317

automatically use email address as 2fa provider #4317

stefan0xC commented Feb 4, 2024 •

edited

Loading

tessus commented Feb 4, 2024 •

edited

Loading

stefan0xC commented Feb 4, 2024 •

edited

Loading

tessus commented Feb 4, 2024

automatically use email address as 2fa provider #4317

automatically use email address as 2fa provider #4317

Conversation

stefan0xC commented Feb 4, 2024 • edited Loading

tessus commented Feb 4, 2024 • edited Loading

stefan0xC commented Feb 4, 2024 • edited Loading

tessus commented Feb 4, 2024

stefan0xC commented Feb 4, 2024 •

edited

Loading

tessus commented Feb 4, 2024 •

edited

Loading

stefan0xC commented Feb 4, 2024 •

edited

Loading