Page MenuHomePhorge

MFA: Avoid to having to wait a minute so often, for example right after login
Open, WishlistPublic


Example use case

  • everything is on fire
  • you need to quickly login and do something else requiring MFA (for example, reset your VCS password)

→ you die :D

For some reasons you cannot perform "two normal MFA things" in less than 90 seconds. Every following action could require an additional 90 seconds of wait.

Steps to reproduce

  1. do login with MFA
  2. do whatever other action requiring a MFA - for example, TaskSign With MFA

What happens if you do the second thing in less than 90 seconds:

Screenshot TOTP expired Phorge-Phabricator.png (107×609 px, 17 KB)

Possible Actionable Proposals

Premising that we already have some actions that enables an "High Security" mode for indefinite time, for example while changing a VCS password, probably we could think about this system, that is not activated by default after login.

Note that the current implementation of the "High Security Mode" already allows the user to disable it anytime.

Proposal 1 - Enable "High Security Mode" for more actions (e.g. after login)

Proposing to enable "High Security Mode" for example after the login could be useful, since of course after a login the user would like to do an indefinite number of things.

Phorge High Security Mode after MFA.png (50×266 px, 4 KB)

Notes: this is already implemented for the VCS password.

Pro: very simple to implement.

Cons: ?

Proposal 2 - Introduce a default "High Security Mode" with auto-expiration

A kind of compromise. If we don't like to activate indefinite "High Security Mode" for more actions, why not enabling that for just its normal cycle - 90 seconds?


Partial High Security Mode MOCKUP.png (50×266 px, 4 KB)

Notes: when the timer runs out, you don't die: you just have to re-enter a MFA for more actions.

Pro: it makes semantically sense.

Cons: ?

Proposal 3 - Enable a checkbox "Keep High Security Mode"

That is, during a normal TOTP, we could add another checkbox. Like this:

  • Don't ask this soon

Or whatever. To activate the already-existing "High Security Mode" modality that do not ask twice the TOTP. So you can perform multiple actions faster instead of waiting 90 seconds between each click (like opening 5 Passphrase credentials takes 5 seconds instead of 7 minutes).

What is NOT covered by this Task

The slowness of the user in taking the token in hand is probably not something we can fight. As speck says, we could add a warning "Get ready, take token in hand" to avoid situations where:

  • You took more than 59.9 seconds
  • Phorge/Phabricator webserver has the wrong clock by 20+ seconds
  • your mobile app has the wrong clock by 20+ seconds
  • you tried to login at 06:00:50 AM generating the token at 06:01:10 AM
  • a weird combination of these things

To avoid this frustrating issue, I think most banks probably have a time window of at least 3 minutes (-1, current, and +1) and not just 60 seconds, since they want to prevent users from just delivering weird complains about the TOTP token expiration, and banks also want to prevent users from just asking to disable TOTP so they don't waste their time anymore, but also keeping this security measure on as much as possible.

Somebody can says that 3 minutes is a better default than 1. Anyway, I don't see much consensus on increasing this limit (even if I would like to understand if somebody is happy about the current default).

Here there is the most-relevant part:$424-429

	  private function getTimestepWindowSize() {
	    // The user is allowed to provide a code from the recent past or the
	    // near future to account for minor clock skew between the client
	    // and server, and the time it takes to actually enter a code.
	    return 1;

Here a related comment in a 2018 commit message that it's about this strictness:

Reduce the TOTP window from +/- 2 timesteps (allowing ~60 seconds of skew) to +/- 1 timestep (allowing ~30 seconds of skew).

Event Timeline

valerio.bozzolan created this task.
valerio.bozzolan created this object in space S1 Public.
valerio.bozzolan renamed this task from Allow to increase the TOTPAuth timestep window size (now 1 minute) to MFA: Avoid to having to wait a minute so often, for example right after login.May 9 2023, 10:53
valerio.bozzolan lowered the priority of this task from Low to Wishlist.

I was probably able to reproduce the issue:

  • i login, using the MFA
  • then I do something else with MFA: I have to wait a minute since the old token cannot be reused

Probably one sensible thing might be: after you used a token (for example after login), keep the high-security mode at least for the duration of a token (e.g. 60 seconds)

It really doesn't make sense otherwise to ask for a token so often. It's impossible otherwise to do more than two actions in ~60 seconds.

I had discussed this with Evan previously and he gave a great explanation for why the current behavior exists, something he refers to as “spyglass attack”. I’d have to go back and review the explanation. What I recall the outcome being a few options, one of which was prompting the user that they are about to be promoted for MFA before issuing the challenge, to give the user time to prepare.

Ah yeah please share that :) Premising I agree that losing the current token is a problem that can be fixed with "hey, prepare your token, 3, 2, 1, go!"

But... even with that, we do not allow people to perform more than 1 action every 90 seconds.

Thank you speck since you helped me a lot in clarifying the situation.

What do you think about the two short proposals in the description?

The comments in discuss the "spyglass" attack and how this behavior is meant to be more secure.

In discussion over a support ticket one of the potential options that was discussed was having a "An MFA challenge is about to appear, click to continue" prompt in the workflow as a means to prepare users to get their phones/devices ready so they can respond within the 30 seconds. Right now since MFA is opt-in per each user instead of required per auth portal - the current login workflow will immediately prompt you for MFA after successful login, which might surprise users who fumble to get the TOTP code out (it's happened to me).

I've better triaged my root problem.

Today my boss said something like


(Checked if it was a scam. It was not. It was really my boss in front of me, not a precise mimic from a dungeon)

Then I discovered that it's not possible to fulfill such request since it's not possible to do 1 action in <= ~90 seconds so I really invested ~35 minutes of my life in doing this operation in a safe way, instead of doing this in just ~40 seconds.

I probably would have liked to have had a checkbox like

DO YOU WANT to maintain your maximum security status for other operations as well, and click a popup (F312401) whenever you concluded your things?

So indeed:

  • it's not a good idea to suggest to people to disable TOTP (but I was really tempted)
  • it's not a good idea to use one single TOTP for multiple operations as default
  • but maybe it's a good idea to just have a checkbox to activate features like F312401