Inconsistent Behavior when Using "Remember browser" - allowRememberBrowser Flag in Actions

Problem statement

There is an inconsistent behavior when attempting to “Remember browser” (allowRememberBrowser flag) using Actions. For example:

exports.onExecutePostLogin = async (event, api) => { 
  api.authentication.challengeWithAny([{type: "email"}]); 
}

A user can select the option to “Remember this device for 30 days”. If they enable this option, complete the MFA, and then log in again hitting the same Action, the MFA prompt is triggered again, whereas it should be skipped.

Symptoms

“Remember this device for 30 days” does not get respected for the “Email” MFA option.

Solution

Essentially, this is a security feature targeting users that only have email enrolled as MFA, as this would still essentially be the same as only having a single factor.

The main cause of concern in this configuration is how password reset should occur, as there would be no need for a second factor to reset the password. Only email access would be needed as the flow would look something like this:

Assume the malicious actor has access to the target’s email inbox, the below flow would be possible:

  1. A malicious actor goes to the login page.
  2. Clicks on Forgot password.
  3. Inputs the email address.
  4. Waits for password reset email to arrive, clicks on it.
  5. The malicious actor creates a new password.
  6. The malicious actor goes to the login page again and inputs the newly created password.
  7. The malicious actor is presented with an email MFA challenge.
  8. The malicious actor completes the email MFA challenge by inputting the right code, as they already have access to the email.
  9. The malicious actor is logged in.

If the user had any other factor for MFA, they would get stuck at step 7 (which would be true MFA as a second independent factor that would be used).

This flow has been disallowed due to the implied security of MFA, but it is not actually being MFA (only a single factor is used).

The easiest workaround to ensure the Remember me option works with email MFA is to make sure the user is enrolled in at least one other factor (even if that factor is not called).

Additionally, it is strongly advised to consider customizing password reset to rely on something other than email if you want to have users use email as a second factor by default for login due to the above.