Affects Version/s: None
Fix Version/s: v2.6.0
Currently changing password requires to provide the existing one (except of the admin user). This is done as a special case and is not fully correct when 2FA is used. What is more we should have consistent support for re-authentication or step up authN also in other places in Unity, for all of those sensitive operations:
- changing local credential (password, sms credential telephone number)
- changing contact email address attribute (may be used to reset password / change sms cred number)
- changing contact mobile address attribute (as above)
In all the above cases we should require additional or repeated authentication of the user if:
- the user was authenticated with remember-me completely (no credential was provided when starting the session)
- the user was authenticated with a credential but 2nd factor which would be otherwise used was skipped due to remember me feature
- the use was authenticated fully, but the authentication took place more then 5 minutes ago (by default, configurable)
So for all sensitive operations we should check the policy as given above. We need another piece of configuration to control what credential should be asked during re-authentication. Given as following:
reAuthenticationGraceTime=600 #if 0 then require re-authN always
reAuthenticationBlockOnNoOption=true # used when policy returns no valid authN option
The special entries are:
ENDPOINT_2F - credentials from the endpoint's 2nd factor configuration - useful for step up authN when endpoint's policy requires only 1st factor to authenticate
SESSION_1F, SESSION_2F - credential used for the user's session - either 1st factor or second. Useful to obtain re-authenticate semantics. In case of remembered logins, this falls back to the credential which was originally used to authenticate the user.
CURRENT - available only when the sensitive operation is changing an existing credential. Request authenticating with the credential being changed. This credential must be enabled on the endpoint.
After applying the policy there should be one or none authentication option returned for re-authentication. UI should re-authenticate user in popup with it. Remote options should not be used.