Annotate sign-in reCAPTCHA from 2-factor attempts #11801
Conversation
|
Some open questions:
|
vrajmohan
force-pushed
the
vm-annotate-recaptcha-on-authentication
branch
2 times, most recently
from
0683bf1 to
d109870
Compare
From what I recall, it's used by Google to interpret as a failed or abandoned attempt if the user never subsequently succeeds . The documentation says "old assessment with ENUM_VALUES.INITIATED_TWO_FACTOR reason that has not been overwritten with PASSED_TWO_FACTOR is treated as an abandoned 2FA flow".
I think it's best to clean up if we don't intend to use it again (including browser back button, etc.), particularly if we're going to store it in |
|
Deleting the annotation id after use would prevent us from annotating a subsequent PASSED_TWO_FACTOR after a FAILED_TWO_FACTOR annotation. (I acknowledge that FAILED_TWO_FACTOR is scope creep for this story.) We could definitely delete after a PASSED_TWO_FACTOR, as I see less benefit in accounting for the other way (ie PASSED_TWO_FACTOR followed by FAILED_TWO_FACTOR). |
vrajmohan
force-pushed
the
vm-annotate-recaptcha-on-authentication
branch
3 times, most recently
from
0fc407b to
fe271ca
Compare
lib/analytics_events_documenter.rb
Outdated
| @@ -19,6 +19,7 @@ class AnalyticsEventsDocumenter | |||
| pending_profile_idv_level | |||
| proofing_components | |||
| profile_history | |||
| recaptcha_annotation | |||
There was a problem hiding this comment.
Is this to avoid errors on missing documentation for the analytics method call? I'd expect we'd update the analytics method signatures to include this property if it's something we expect will be logged.
There was a problem hiding this comment.
IMO, the recaptcha_annotation is of lesser interest in the events being logged and I was leveraging the **extra argument in the signatures of all the affected events.
If we think it is important and want to add the documentation, I can do so.
There was a problem hiding this comment.
I think it's relevant to be documented.
| @@ -217,6 +221,7 @@ def track_authentication_attempt | |||
| success = current_user.present? && | |||
| !user_locked_out?(user) && | |||
| (recaptcha_response.success? || log_captcha_failures_only?) | |||
| session[:recaptcha_assessment_id] = recaptcha_assessment_id if recaptcha_assessment_id | |||
There was a problem hiding this comment.
To leave open the option of using reCAPTCHA for other, non-sign-in features, I think it could be wise to add a qualifier here, similar to what we do with user_session[:phone_recaptcha_assessment_id] (e.g. session[:sign_in_recaptcha_assessment_id]).
There was a problem hiding this comment.
This was my open question #3:
Use plain :recaptcha_assessment_id in session as there's no value in a more specific namespace
Will Google assign different assessment ids for the same device session?
My thought was to create a ticket to move user_session[:phone_recaptcha_assessment_id] also to use session[:recaptcha_assessment_id].
There was a problem hiding this comment.
They're separate assessments, and we'd want to annotate them separately. I don't think we want to consolidate the values.
I was confused between |
changelog: Upcoming Features, Recaptcha, Annotate sign-in reCAPTCHA from 2-factor attempts
vrajmohan
force-pushed
the
vm-annotate-recaptcha-on-authentication
branch
from
0a0f87a to
bc2e633
Compare
changelog: Upcoming Features, Recaptcha, Annotate sign-in reCAPTCHA from 2-factor attempts
🎫 Ticket
Link to the relevant ticket:
Annotate sign-in reCAPTCHA after fully authenticated
🛠 Summary of changes
recaptcha_assessment_idin session.recaptcha_assessment_idin session.recaptcha_assessment_idin session.recaptcha_annotationalong with the pre-existing event whenever an annotation is made.📜 Testing Plan
Provide a checklist of steps to confirm the changes.
sign_in_recaptcha_percent_testedto 100recaptcha_annotationin log/events.log