implement a pluggable "bypass MFA if..." solution (for example: "save this browser", or IP based)

[benzkji]

as seen many times.

maybe as a generic solution, that allows to bypass 2FA, given a condition?

[bbisk]

In one of current projects we extended trench with IP whitelisting.
So, what's your idea in depth? Mix user agent data and IP? On our TODO list there is also geolocation. Happy to discuss the topic further.

[benzkji]

Yes, why not mix it all up ;-) As you said you already implemented IP whitelisting, it would be interesting to have a generic solution, and maybe the most common bypass methods built into trench, easily pluggable.

"save this browser" could be one of these. Implementation details up to discuss - some use cookies (with a secret, as value) to remember and verify a browser (kind of a long living 2FA session). If trench is used via tokenauth/jwt from apps, this could be another secret, to be provided, instead of triggering 2FA (I'm not really into Mobile Dev...just thinking loud ;-).

[ckcollab]

Would it make sense to store this information/flag in a server-side cookie? That way it's not by IP or anything, just trusting the particular device storing the cookie. I think this makes sense?

[benzkji]

sure. what we would need, is a pluggable system, where devs could add their own whitelisting methods. some builtin would be nice, cookie and ip for example, as basic showcases.