Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit Log (Tracking usage of MFA codes) #5

Open
garyhtou opened this issue Jan 2, 2024 · 2 comments
Open

Audit Log (Tracking usage of MFA codes) #5

garyhtou opened this issue Jan 2, 2024 · 2 comments

Comments

@garyhtou
Copy link
Member

garyhtou commented Jan 2, 2024
edited
Loading

It would be cool to know who's requesting/using MFA codes; especially for our critical accounts.

Context: Slack bots support interactive messages; such as messages with buttons.

Solution 1: Tracking after usage

The MFA slack message will include a "I used it" button. When clicked, the message will update by removing the button and adding the user's name to the message (something along the lines of "Used by @garyhtou")

Example:

  1. Your SendGrid verification code is: 123456
    [I used it button]

  2. *user clicks button*

  3. Your SendGrid verification code is: 123456
    Used by @garyhtou

This solution keeps the quick and low-barrier user flow. You can glance at the Slack notification to get the code. However, the button likely won't be used.

Solution 2: Tracking before usage

Alternatively, we can hide the code until a user clicks a "I requested it" button. This will provide us with a more accurate audit log of who has accessed accounts. Having this public and accurate audit log may also help deter unnecessary access to accounts.

Example:

  1. Your SendGrid verification code is: REDACTED
    [I requested it button]

  2. *user clicks button*

  3. Your SendGrid verification code is: 123456
    Used by @garyhtou

This solution would likely require some sort of short-term storage. This codebase currently is stateless (doesn't have a storage solution). We could maybe get creative and store the code in a hidden way within the slack message, then retrieve it from the slack message when responding to the button click. Or, we can set up a simple in-memory store (preferred).

Here are a couple of additional ideas based on this "tracking before usage" solution:

  • This "tracking before usage" feature could be enabled for only some critical accounts. For example, if the SMS contains "SVB", then enable this feature for that Slack message. All other messages would function as they currently do.
  • Only allow users in a whitelist to click the "I requested it" button. This whitelist could be defined as YAML/JSON. Example: 
    SVB: # if the SMS contains "SVB", then only the following slack users are allowed
  - "slack user id here"
  - "another slack user id here"
"First Republic":
  - "slack user id here"
@garyhtou
Copy link
Member Author

After further thought, i'd rename the "I requested it" button to "See code".

A code should be able to be seen multiple times (e.g. by multiple people). When the button is clicked, send an ephemical message and log the viewer.

@garyhtou
Copy link
Member Author

We now have a database: #10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@garyhtou