2FA - missing "Trust this device" checkbox

[Green2Matter]

Preconditions (*)

1. Fresh install of Magento CE 2.4.3
2. Configure Google 2FA
3. Ubuntu 20.4, PHP 7.4, Percona MySQL 8

Steps to reproduce (*)

1. Start logging in to backend

Expected result (*)

1. As per https://docs.magento.com/user-guide/stores/security-two-factor-authentication-use.html it should be possible to add device to trusted devices:
   

Actual result (*)

1. But what I can see is:

--- Please provide [Severity](https://devdocs.magento.com/guides/v2.4/contributor-guide/contributing.html#backlog) assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @Green2Matter. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[m2-assistant]

Hi @engcom-Lima. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Add label Issue: Confirmed once verification is complete.

• 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Lima]

Hi @Green2Matter,

Thank you for reporting the issue.

However I am able to login with 2FA in Admin Panel as expected. You can try increasing the size of max_input_vars in php.ini file to 10000. That should fix your problem. If it doesn't help, you can raise similar issues on various Magento Forums. You'll probably get required help.

Since this does not seems to be Magento core issue, we'll soon have to close this issue. Otherwise if you still think this issue is related to Magento Dev and should be addressed, please update Issue Description with more related details.

[Green2Matter]

Hi @engcom-Lima

However I am able to login with 2FA in Admin Panel as expected. You can try increasing the size of max_input_vars in php.ini file to 10000. That should fix your problem. If it doesn't help, you can raise similar issues on various Magento Forums. You'll probably get required help.

Thanks for prompt reply. I'm able to log in as well but every time I do it, I need to provide 2FA code. I can't add device I use to trusted device as it is shown in Magento docs...
And I have already max_input_vars set to 10000.

[engcom-Lima]

Hi @Green2Matter,

You have to Enable “trust this device” option from Admin Panel. Please check Docs here for doing it correctly.

If you are still facing same issue, can you please provide more detailed 'Steps to reproduce' for same so that I can try and reproduce on 2.4-develop ? Some screenshots would be helpful. And it would be great if you can update issue description accordingly.

[Green2Matter]

Hi @engcom-Lima

Simply I don't have such an option (trusted devices) to be enabled... See screenshot:

Would it be related to that I kind of "bypassed" initial configuration (don't have any sendmail configured) and I used following:
bin/magento config:set twofactorauth/general/force_providers google bin/magento config:set twofactorauth/google/otp_window 60 bin/magento security:tfa:google:set-secret <admin_user> <Base32_Encode_secret>

BTW, docs link you quoted is for Magento 2.3. In 2.4: https://docs.magento.com/user-guide/stores/security-two-factor-authentication.html there's no trusted devices option...

[michaellehmkuhl]

It appears that the switch from MSP_TwoFactorAuth to Magento_TwoFactorAuth removed the "Trust this device" functionality. There is no config setting to allow for it, and no checkbox present in any of the 2FA templates in Magento 2.4.3-p1.

Also, module-two-factor-auth/Setup/Patch/Schema/CopyTablesFromOldModule.php seems to migrate the old msp_tfa_trusted table to tfa_trusted and then promptly drop both tables a few lines later.

Whether that trusted device functionality was intentionally or inadvertently removed, it seems to have gone missing at some point along the way, and our admin users are clamoring to get it back.

It looks like this functionality was all removed in MC-22950, according to this commit:
magento/security-package@1c48716#diff-9d9785efa4487457e8190b3eae0a29e4b2b1acc4fd8bbfcff97b229f9164d2e1

[Green2Matter]

So, is "trusted device" functionality going to be restored? If not, I'll remove this module and/or install 3rd party module or simply grant access to admin folder by IP address...

[hostep]

@nathanjosiah: do you know the answer to this question? For me it's also one of the reasons to always throw out the built-in TFA module from Magento, that I need to repeat my two factors every single time I login to the backend of a shop and it's insanely annoying. Having the option back to allow to "trust this device" would be a good solution here.

[nathanjosiah]

This was intentionally removed and we currently have no plans to re-add it. In general security controls are annoying and affect performance/flexibility/etc in some way so it's usually a tradeoff. In our case we removed this feature.

And since we're on the topic I feel like I need to disclaim: We do not recommend to disable 2fa. Keep in mind that many merchants blindly follow advice like "just disable the 2fa module" so please do not spread advice that will make their stores insecure for the benefit of minor usability enhancements.

[Green2Matter]

@nathanjosiah whats/was the issue with "trusted devices" option...? It's good "convenience vs security" trade off. Banks also do apply similar policy and I can't see a reason why not to do it in online shop. I'm going to remove magento 2fa and install 3rd party extension providing "trusted devices" option...

[nathanjosiah]

We may be able to make an argument for restoring some version of this behavior but this isn't something we could fit into our planning internally at this point. Just so you have context, I don't have the exact number in front of me but something like 80% of compromised stores are due to compromised credentials. Basically this is the most serious security concern outside of not keeping stores updated which is why this has been so strict.

[hostep]

Security implementation is indeed always a compromise between usability and strict security, but if feel like Magento always prefers strict security over usability. Unfortunately this sometimes annoys their users so much that they are willing to workaround the security measures completely in order to have an efficient way of working with their shop software.
I think Magento needs to gently introduce new security measures and not immediately the most strict implementation possible as it takes a while to get accustomed to new security measures. Gradually building up security measures helps to move people in the right direction and makes it that you can convince them about the next (more stricter) step. But if you implement it soo strictly to begin with, people just get annoyed and find workarounds unfortunately.

I know I shouldn't recommend disabling TFA, and I try not to. This is just a personal opinion of what we do in our agency. Because me and my colleagues have to login to Magento backends more than a hundred times per day for more then 50 different shops, and having that TFA module asking for the 2 factors every single time we need to login is just too annoying, I'm really sorry, but it is. We do use sane password management with password managers and random passwords with a length of at least 20 characters. And that's currently good enough. But if the TFA module would get an option to mark our current device as a trusted one, we would gladly enable it again.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/AC-6060 is successfully created for this GitHub issue.

[m2-assistant]

✅ Confirmed by @engcom-Delta. Thank you for verifying the issue.
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[ihor-sviziev]

@engcom-Delta, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl.

[adamlavery]

@engcom-Delta, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl.

Agreed. My clients won't accept it as it is and as they are the boss it has been disabled.

[glo11468]

Ok Adam Lavery , Ihor Sviziev. Updated the priority accordingly. Thanks, Penchalaiah

…

________________________________ From: Adam Lavery ***@***.***> Sent: Friday, July 29, 2022 1:19 PM To: magento/magento2 ***@***.***> Cc: Penchalaiah K ***@***.***>; Comment ***@***.***> Subject: Re: [magento/magento2] 2FA - missing "Trust this device" checkbox (#34324) EXTERNAL: Use caution when clicking on links or opening attachments. @engcom-Delta<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fengcom-Delta&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zIkwNyAAIfy13XGQAJInfw8qmIQWok7g3WyVgmidjzk%3D&reserved=0>, I think it should have P2 priority since it causing turning of of 2fa auth by many ppl. Agreed. My clients won't accept it as it is and as they are the boss it has been disabled. — Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmagento%2Fmagento2%2Fissues%2F34324%23issuecomment-1198983463&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gnAqgHS%2BQsVr0XcZL6rn35YR9NLA65437Y3e5j8tnTc%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVQ7L4TFJVH6U24BMVDCLMDVWOEIRANCNFSM5F2RQZMQ&data=05%7C01%7Cglo11468%40adobe.com%7C7cfb7e45ac6244ee192108da7136ddc3%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637946777712795715%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iXavN%2Fg507DzJo3aX7nJx%2BNGASp8XuWn9NZO9BuHyBA%3D&reserved=0>. You are receiving this because you commented.Message ID: ***@***.***>

[omueller]

Also spent some time with this issue (missing "Trust this device" option) with current (as per August 2023) Magento versions, it would really be good to get it back, it is really annoying, and the only "working" solution to reduce users complaintes (beside disabling MFA completely) is to increase the lifetime of admin sessions to several hours (on M2 and php level), which is also not really great security-wise.

thanks for your work & best regards.

[omueller]

PS: in the mean time, https://www.mageplaza.com/magento-2-two-factor-authentication/ may be useful too.

[hostep]

@nathanjosiah: are there plans to pick this up?

[nathanjosiah]

We have an internal story AC-6060 for this but unfortunately it isn't on our roadmap at the moment. We had several key changes which forced us to reprioritize certain workstreams to align with goals and requirements.

[engcom-Delta]

Hi @Green2Matter ,

Thanks for your reporting and collaboration.
We have re-verified the issue in latest 2.4-develop instance and the issue is reproducible.
Kindly refer the screenshots.

Steps to reproduce

1. Enable 2FA
2. Login in admin and observe "Trust this device" checkbox is missing
   

Thanks.