Sector(s)

Team Members

arsh244, iman.mohi, shrishail hiremath, kolhatkarrahul

Visit the site

Visit the site

Organizations Involved

Amidst the digital era, websites need to provide users with features that enhance their experience and make it more streamlined and convenient. One of these features is "Remember My Device", which allows users to avoid the second factor of authentication and log in to the website with just the Drupal credentials, as long as they are using the same device. This feature allows users to mark a device as "trusted," eliminating the need to enter the second layer of authentication on subsequent logins from the same device for a given period of time (say, 30 days). It was designed to improve the usability of the module and reduce the frequency of TFA being invoked while maintaining its security
 

One of the organizations that requested this feature was CEN or the Center for Educational Networking. CENMI is a special education initiative that is funded by the Michigan Department of Education's Office of Special Education. They provide a range of services and resources to educators, parents, and students with disabilities throughout the state of Michigan. miniOrange partnered with CEN to develop this feature and make it available to the wider Drupal community. 
 

About the project

Requirements -

  • The "Remember My Device" feature needed to be highly secure and provide a seamless user experience. 
  • Users should be able to mark a device as ‘trusted’, and subsequent logins from that device should not require the second layer of authentication for a given time period. 
  • The feature needed to be flexible and customizable, allowing the administrator to configure the maximum number of devices that could be remembered by a user, and the duration for which a user is not prompted to reauthenticate themselves via two-factor authentication (TFA).

Challenges -

  • One of the main challenges of implementing the "Remember My Device" feature was ensuring that it did not compromise the security of the Drupal site, while still providing a seamless user experience. 
  • It was a challenging task to ensure that the feature worked seamlessly across all devices and platforms. 
  • Another challenge was to provide the flexibility to the administrator to configure the number of devices that could be remembered by a user and the duration for which the user can skip authentication via a second factor and can log in using just the Drupal credentials.

Implementation -

The "Remember my Device" feature was implemented by extending the functionalities of the miniOrange Drupal 2FA module. The ‘Remember My Device’ feature uses device fingerprinting to identify trusted devices, and it is compatible with all devices and platforms. When a user logs in and selects "Remember this Device," a device fingerprint is created and stored against the user entity. On subsequent logins by the same user from the same device, the device fingerprint is used to determine whether the device is trusted. If the device is trusted, the second layer of authentication is not required.

The feature was designed to allow the administrator to configure the maximum number of devices that could be remembered by a user, as well as the duration for which the user could skip second-factor authentication. 

Remembered and un-remembered devices flow

For instance, if the administrator allows up to two devices to be remembered for a user, let's say, John. John would be able to log in to the Drupal site from his work PC (Machine A) and his personal laptop (Machine B) and remember both devices. However, when John would attempt to log in from his mobile phone (Machine C), he won’t be able to find the option to remember the device, and 2FA will be invoked every time. For Machine A and Machine B, 2FA will not be invoked for the given period of time, as set by the administrator.
 

Results - 

The "Remember My Device" feature has been well received by miniOrange's customers. The feature has enhanced the usability of the Drupal 2FA module, while still maintaining the highest level of security. Overall, the feature has been a valuable addition to the miniOrange Drupal 2FA module, and it is highly recommended for any Drupal site looking to enhance its security posture.
 

Why Drupal was chosen

  • Firstly, Drupal is a highly flexible and customizable platform that can be tailored to meet the specific needs of any organization. 
  • The security of Drupal websites is crucial, and adding an extra layer of authentication provides an additional level of protection against unauthorized access. Drupal's strong security framework, regular updates, and active community of developers make it one of the most secure CMS platforms available.
  • Drupal's modular architecture allowed us to easily integrate the "Remember My Device" feature into the Drupal 2FA module and in turn with the CEN's existing website.
     

Technical Specifications

Key modules/theme/distribution used: