Refactor 2FA UX to let existing users without 2FA set it up

[consideRatio]

It would be good to allow already registered users to register for 2FA authentication.

To implement this, I bet its relevant to setup dedicated handlers for the 2FA matters. Currently we have providing a code to be part of the login screen, and part of setting up 2FA part of the signup screen. If we would allow users to enable 2FA after they are created, we don't want to forcefully tweak the signup handler to manage this as it would add too much complexity. It would be better to have a dedicated screen to both setup 2FA and to enter a 2FA code I think.

I see no reason for this to be backward incompatible, but it will probably be a quite significant in size PR.

Action points (chronological order)

• Find tentative agreement towards the enhancement and the vague implementation idea presented above about breaking apart the 2FA parts from login/signup.
  @lambdaTotoro what do you think?
• Establish and describe the planned changes in more detail
  • What new Handlers should be defined
  • What inputs and such should be part of new templates for the new handlers/endpoints?
  • How should the UX be for:
    • A user signing up for 2FA
    • An existing using signing up for 2FA
    • An existing user with / without 2FA logging in
    • If we would require users to activate 2FA if they didn't have it, and it is now required for the hub
• Implement enhancement
• Add tests
• Update documentation where needed

Related

• Log user in automatically after sign-up #72
  This is held back by the current 2FA UX where a user that is signing up must first register their code in their 2FA application. If we solve this and Allow users to validate their 2FA setup when its enabled #168 first, we can make this quite easy I think.
• Allow users to validate their 2FA setup when its enabled #168
• Provide a QR code when signing up a new user with 2FA enabled #155
• We have allow_2fa to make it something one can opt-in to, but can we also make it required? #153
• allow_2fa is documented to make 2FA required - but its just allowed #152

[lambdaTotoro]

I'm on board with letting already registered users sign up for 2FA, if it is enabled. I can also see the benefit of divorcing it from signup (however, we have to make sure that users know about where to find their 2FA token in their first session), both in general and for the benefit of #72.

Could you elaborate on when exactly the system would ask for the 2FA code, when it isn't part of the login anymore (that's the way I read your proposal)? On changing your password, maybe (see also #170) but where else?

We should also spend some thoughts on what happens when a user loses their 2FA factor and how admins can or could potentially help with that.

[consideRatio]

Could you elaborate on when exactly the system would ask for the 2FA code, when it isn't part of the login anymore (that's the way I read your proposal)?

(however, we have to make sure that users know about where to find their 2FA token in their first session)

Absolutely, I'm thinking that signup is a two step process for whoever required or opting to setup 2fa directly on sign up:

1. the username/password form is shown, where one can opt-in to sign up
2. The 2fa setup should show either directly after signing up, or on first successful username/password login attempt assuming the user is authorized etc. The 2fa setup should also show directly after login with password if 2fa now is required. The gist is the 2fa setup should always be done before accepting the users login if the user has opted to use 2fa or it is now required and the user doesn't have it.

On changing your password, maybe (see also #170) but where else?

Ah a relevant consideration, I want to avoid spreading the discussion towards something that can be done in a dedicated smaller scope. I created #171 to represent this consideration instead.

We should also spend some thoughts on what happens when a user loses their 2FA factor and how admins can or could potentially help with that.

Yepp, lets create a dedicated issue for this also: #172. This is another motivation to separate the signup page from the setting a 2fa setup page.

---

I understand it as we have some agreement that it would be a reasonable direction to head in: to do this refactoring where the 2fa setup and 2fa code validation is extracted from the login page and the signup page, but not necessarily the login flow or signup flow - just the actual pages we render to the user as part of the login/signup flow.