gotomyaccounts/Portal_Web_App
Private
Public Access
1
0
Issues 86 Projects 1 Activity

[GTMAWEB-113] Enhanced GateKeeper for more seamless auto-logins #81

New Issue
Closed
opened 2025-02-13 08:20:27 +00:00 by gtmadev · 0 comments
gtmadev commented 2025-02-13 08:20:27 +00:00
Owner
Copy Link

We will add a new background 2FA feature for auto-login tokens. When a user comes in through an auto-login token, gatekeeper will try to validate it. If the age is below x minutes, we will also write or refresh a special 2FA token cookie. The purpose of this 2FA token is if the same user comes through with an expired token, we will auto-renew it as long as the 2FA cookie (token) matches their user record. In those cases, we have reasonable certainty that they are the same person and we can renew their token without asking them to click through an email.

If the 2FA token does not exist, or does not match the user, they will see the same message like we see now. They can click a button to receive the re-issue token by email. As long as this happens in less than x minutes, the 2FA token cookie will get written to the browser on that use. And thus, they will not get prompted again in the future.

Note: If the token is older than 30 days.. then it will be expired completely and won't be renewable. I think that condition though should be very rare.

This will make token renewals much easier for users (they won't be pestered to click through an email), and if they do, it is just a one-time thing.

Issue metadata

  • Issue type: New Feature
  • Priority: Medium
  • Fix versions: 4.1
We will add a new background 2FA feature for auto-login tokens. When a user comes in through an auto-login token, gatekeeper will try to validate it. If the age is below x minutes, we will also write or refresh a special 2FA token cookie. The purpose of this 2FA token is if the same user comes through with an expired token, we will auto-renew it as long as the 2FA cookie (token) matches their user record. In those cases, we have reasonable certainty that they are the same person and we can renew their token without asking them to click through an email. If the 2FA token does not exist, or does not match the user, they will see the same message like we see now. They can click a button to receive the re-issue token by email. As long as this happens in less than x minutes, the 2FA token cookie will get written to the browser on that use. And thus, they will not get prompted again in the future. Note: If the token is older than 30 days.. then it will be expired completely and won't be renewable. I think that condition though should be very rare. This will make token renewals much easier for users (they won't be pestered to click through an email), and if they do, it is just a one-time thing. --- **Issue metadata** - Issue type: New Feature - Priority: Medium - Fix versions: 4.1
gtmadev added this to the GoToMyAccounts project 2025-10-27 07:56:43 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Doing
To Do
on-hold
priority::high
High priority
 priority::low
Low priority
 priority::medium
Medium priority
 research
type::Feature Request
type::bug
type::enhancement
type::proposal
type::task
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project GoToMyAccounts
Assignees
Clear assignees
gtmadev
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gotomyaccounts/Portal_Web_App#81
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?