Two-factor authentication sometimes does not work on environment after auto logout

Users can access environment without passing the 2fa after automatic logout after 10h on Production environment.

Such behavior was noticed in the following scenario:

  • after several days of idling user goes directly to the Staging environment via link;
  • user is logging in to the Forest Admin site;
  • dropdown with environments is displayed, where Production environment is selected;
  • after redirect and login the 2fa is not required to access environment.

Context

  • Two-factor authentication is enabled on Staging and Production environment
  • Project Name: Leadtime App

Hello @Vasilii,

It seems that you are using forest-express-sequelize@6 which is relying on the double verification of the user’s password:

  1. Forest admin (the app) is checking the user’s password when logging in on the platform
  2. Your agent is checking the password, and then is requesting the second factor of authentication.

Can you please tell me if the whole second step has been skipped, or if it was only the verification of the 2nd step of authentication?

Hi, @GuillaumeGautreau!
Only the second half (verification) of the second step is skipped.

Hello @Vasilii,

I could reproduce on my end, I created a ticket and I’m working on a fix.

I would like to point out that you’re using the version 6 of forest-expres-sequelize that will be blocked by future versions of Chrome in development environments only.

I suggest you to upgrade to the v7, which improves the autologout, 2FA, and the overall experience with authentication (in addition to fixing the issue with Chrome):

  • We added the 2FA on the user’s account: with this version people can define a 2FA when connecting to Forest (instead of one second factor by project, which is not easy to setup and use)
  • Projects can enforce their user to have defined a second factor on their account
  • The autologout feature logs people out of the platform
  • You don’t need to type your password twice when accessing a project anymore, with this version

Hello @Vasilii,

We released a new version of the application, fixing the issue you reported. Can you check that it fixes it on your side?

Hi, @GuillaumeGautreau

Looks like it’s resolved, thanks for help!