Base solution for your next web application
Open Closed

Remember browser for 2FA #12188


User avatar
0
hongbing.wang created

Hi @ismcagdas,

ASP.NET Zero API: v13.3.0 | Client: v13.3.0

Goal: Add an option to remember browser for Operators with MFA enabled. When selected, Operators can choose to remember browser, which will skip MFA prompts for future logins from the same browser.”

We enabled 2FA settings on settings page and also for specific user. 2FA works.

We also added an option "Allow to remember browser" on settings page [Administration > Settings > Security (tab)]. See the screenshot below.

We checked the setting is updated in TenantSettingsAppService.cs, settings.IsRememberBrowserEnabled = true, but users are still prompted for additional authentication (two-factor authentication) on a "remembered" browser.

Did I miss something? How the "remember browser" functionality is being implemented? Does the "Remember this browser" functionality relies on a cookie being set in the user's browser when they select the option to remember the device. I couldn't find such a cookie in the browser.

Do we need to check the host settings (HostSettingsAppService) do not force 2FA?

Thank you for your support.


15 Answer(s)
  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    An error may have occurred in the implementation here. We will fix this in the next version

    https://github.com/aspnetzero/aspnet-zero-core/issues/5430

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    I tested it but remember me functionality is working successfully for me.

    Maybe you are not selecting marked place

    Angular local storage item

    Mvc cookie

  • User Avatar
    0
    hongbing.wang created

    Hi @m.aliozkaya,

    Thank you for the update.

    I do have 'Remember this browser' ticked.

    I also have TwoFactoRememberClientToken in angular local storage.

    However, if I logout and then login again within the same browser. I am still required to provide two factor access code from Google Authenticator. Is this normal? Please explain how this should work. Thank you.

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    I can't reproduce the problem. If you check the remember this browser button, you can login without Google Authenticator code.

    Could you share your project with [email protected]

  • User Avatar
    0
    hongbing.wang created

    Hi İsmail,

    Here is the video recorded from the original default Zero app V13.3.0. It doesn’t meet the following requirement: If the Operator successfully logs in with the remember browser option ticked, then they should not be prompted to enter 2FA again until they go to another browser.

    Please investigate the issue.

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    I can't reproduce this error on my project. Could you share your project with [email protected]?

  • User Avatar
    0
    hongbing.wang created

    Hi İsmail, I have shared the original Zero 13.3 project with [email protected]

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    I can't reproduce the issue on your project. It is working well on my side

  • User Avatar
    0
    hongbing.wang created

    Hi İsmail,

    I have asked my colleagues to do the same test on the original Zero 13.3 code (both in debug and production build). My colleagues can reproduce it too. Could you please share a video of your test? Is there any difference between our test methods?

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    Could you access this link? https://drive.google.com/file/d/1YyWIjxnyNOvuCkouR3ACy-nk-kCVBR3o/view?usp=drive_link

  • User Avatar
    0
    hongbing.wang created

    Please download the video file.

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    Could you share your project with support@aspnetzero ?

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @hongbing.wang,

    Sorry for asking again. I found the project in my emails. But I still can't reproduce it. Maybe we should plan a call about this

  • User Avatar
    0
    hongbing.wang created

    Hi @m.aliozkaya, A call would be good. I'm available from10 AM to 5 PM AEST. But I will make me available after hours up to 10 PM if that suits you.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @hongbing.wang

    We have tested this on the project you shared but couldn't reproduce the problem. Is there a live URL which we can access to test this problem ? You can send an email to [email protected] for details.