Implement 2fa And Lockout Functionality To The Adm
Product Requirements Document

Product Requirements Document: 2FA and Lockout for Admin Area

1. Introduction/Overview

This document outlines the requirements for implementing Two-Factor Authentication (2FA) and Lockout functionality for the admin area of the system. The primary goal is to enhance the security of the admin area by reducing the risk of account compromise through methods like brute-force attacks. This feature will protect sensitive data and ensure compliance with security standards.

Goal: Implement 2FA and Lockout to enhance the security of the admin area and reduce the risk of unauthorized access.

2. Goals

  • Successfully implement 2FA for all admin users.
  • Implement an account lockout mechanism after a defined number of failed login attempts.
  • Allow administrators to select their preferred 2FA method (initially email).
  • Successfully use version 5 of the SchebTwoFactorBundle.
  • Override the default Sylius AdminUser resource.

3. User Stories

  • As an admin, I want to securely log in to the admin panel using 2FA so that unauthorized users cannot access sensitive data.
  • As an admin, I want to be locked out after multiple failed login attempts so that brute-force attacks are mitigated.
  • As a security officer, I want to ensure that all admin users are using 2FA so that the system is compliant with security policies.
  • As a system administrator, I want to easily configure and manage 2FA settings for admin users so that the system remains secure.
  • As an admin user, I want to select my preferred 2FA method (e.g. email) so I can choose the most convenient option.
  • As a developer, I want to override the admin user Sylius resource to store auth codes so I can use 2FA effectively.
  • As a developer, I want to make adjustments to security.yaml so there are no breakages

4. Functional Requirements

  1. The system must require 2FA for all admin users upon login.
  2. The system must implement an account lockout mechanism that activates after a configurable number of failed login attempts (e.g., 5 attempts).
  3. The system must lock the account for a configurable duration (e.g., 15 minutes).
  4. The system must provide a field in the admin user profile to select the preferred 2FA method. Initially, email will be the only supported option.
  5. The system must use the SchebTwoFactorBundle version 5.
  6. The system must override the default Sylius AdminUser resource to store authentication-related codes.
  7. The system must send 2FA codes via email using the existing transactional email service and templates.
  8. The system must log all 2FA login attempts, including successful and failed attempts.
  9. The system must allow administrators to reset the lockout status of user accounts.
  10. After an admin successfully logs in with 2FA, they should be redirected to the admin dashboard.
  11. The system should provide informative error messages to the user during login, including when 2FA is required and when an account is locked out.
  12. Implement lockout functionality that keeps track of failed login attempts and locks the account after a defined threshold.

5. Non-Goals (Out of Scope)

  • Integration with third-party identity providers (e.g., Google Authenticator, Authy) in the initial implementation.
  • Support for 2FA methods other than email in the initial implementation.
  • Implementing custom 2FA code generation logic. (The bundle's default will be used).
  • Implementing a self-service account recovery process for locked accounts.

6. Design Considerations

  • The 2FA selection field in the admin user profile should be easily accessible and clearly labeled.
  • Email templates for 2FA codes should be consistent with existing transactional email styles.
  • The login page should provide clear instructions on how to use 2FA.

7. Technical Considerations

  • Consider using Symfony's built-in security features for lockout functionality.
  • Ensure the SchebTwoFactorBundle is configured correctly according to its documentation, specifically version 5.
  • The custom AdminUser class should extend the Sylius AdminUser class to maintain compatibility.
  • The email service should be configured to handle high volumes of 2FA code emails.

8. Success Metrics

  • Reduced number of compromised admin accounts (measured by incident reports).
  • Improved compliance with security standards (demonstrated through security audits).
  • Successful adoption of 2FA by all active admin users (tracked by user logins).
  • Minimal support tickets related to 2FA login issues.

9. Open Questions

  • What is the desired lockout duration?
  • What is the acceptable failure rate for sending 2FA codes via email?
  • What specific security standards must this implementation comply with?

Application Log