2FA and Remember Me Feature

This post is about security requirements, why it is so important even if you don’t have them in your backlog and SOW, since they can impact the product that you are building.

Recently one of our customers, who is happen to be a project manager with a small team of in-house engineers, requested us to implement 2FA feature for their app, since it is regulated by the appropriate state agency based on the data this app processes and stores.

Straightforward to implement. The feature has been implemented and after using it for quite a few weeks they got annoyed to type one time code every time they log in.

What is the next feature request you think was? Correct, «remember me», so they don’t have to input the code every time during login process. And here is where our expertise kicked in.

We started to review this requirement closely and see how it fits into the overall product design and architecture as well as regulations.

The original idea from the customer development team was to use JavaScript library to «remember» user’s agent (read: browser) and then based on fingerprint decide whether or not allow access without 2FA code.

2FA in a nutshell is a process that involves something that the user knows (username and password) and something that the users has (one time unique code). By implementing such feature we would ruin this principle and here is why.

This raises at least few issues:

  • we are about to be dependent on some third-party JavaScript library and may have some vulnerabilities in the future, or already has;
  • we about to get another attack vector which is a JavaScript code, Ouch!;
  • JavaScript code that helps to make a decision for the next step in the 2FA process? Sounds scary;
  • we have another dependency to update in case of vulnerability and if there is no patch - we (or some other developer) will need to come up with the patch themselves.

None of those definitely long term beneficial for the product we are helping to build.

So we started to talk through those items with the customer to make sure the risks are understood and accepted.

As it turned out the customer was not ready to accept such risks. So we suggested an idea to make 2FA less obtrusive by white-listing specific personnel from well known locations, which worked well.

This is very good example when security requirements are not aligned with the business requirements. In fact, the customer was not aware of such concerns and risks at all.

We believe communication and a team work is so important. Sharing expertise is no less important, to make sure everyone is aware of the ramifications and decisions we make during incremental development.