Add "Trust this device/browser" option for 2FA

Problem/Justification

In the current TrueNAS interface, when Two-Factor Authentication (2FA) is enabled with applications like Google Authenticator, users may be required to enter their 2FA code more frequently than expected, even from their own secure and frequently used workstations. The lack of a clear pattern as to when the code will be requested again makes this situation even more unpredictable. This negatively impacts the user experience, especially for access from these trusted workstations, leading to time loss and unnecessary steps. The absence of a “Trust this device/browser” option—which would allow the 2FA code to be remembered for a user-configurable and longer period (e.g., 30 days) on trusted devices without significantly compromising security—is a shortcoming for users who require frequent access. This feature would help establish a better and more predictable balance between ease of use and security.

Impact

  • Advantages:
    • Improved User Experience: Offers a smoother and faster login process for users by reducing the frequency of 2FA code entry when logging in from trusted devices.
    • Increased Productivity: Saves time, especially for administrators and users who frequently access the TrueNAS interface.
    • Enhanced User Adoption: Making the additional security step of 2FA less intrusive and more predictable can encourage wider adoption of 2FA.
    • Balanced Security: Allows users to mark specific devices as “trusted,” providing convenience without significantly compromising security. The 2FA requirement will persist for access from unknown or untrusted devices, or after the trust period expires.
  • Disadvantages:
    • Potential Security Risk (If Not Implemented Correctly): If a device marked as trusted is compromised (e.g., stolen or infected with malware), the risk of unauthorized access from that device could increase during the trust period. This risk can be mitigated by providing an interface for users to manage and revoke trusted devices and by enforcing clear expiration of the trust.
    • Additional Development and Maintenance Load: Developing and maintaining this feature will require additional resources from the TrueNAS team.

User Story

As a TrueNAS administrator, I access the TrueNAS interface from my main workstation several times a day. While it doesn’t ask for the 2FA code on every single login, it prompts for it quite frequently, and I’m not sure what triggers the re-prompt. Each time it does, I have to open my Google Authenticator app and enter a new 2FA code. This is an interruption and a repetitive process on a device I inherently trust.

With the new feature, after logging in with a 2FA code for the first time on my workstation, I expect to see a checkbox like “Trust this browser for 30 days.” If I check this box, I will not be asked for a 2FA code again for the next 30 days as long as I use the same browser and workstation. However, if I try to log in from a different browser, a different device, in incognito mode, or if the 30-day period expires, the 2FA code will be requested again to ensure security. Additionally, I expect to be able to see a list of devices I have previously trusted and revoke this trust at any time from a section like “Trusted Devices” in the TrueNAS settings. This would significantly speed up my workflow by making 2FA prompts predictable on my trusted machine, while allowing me to remain confident in my security.

That would be expected when enabling 2FA, no?

You’re right, entering a code is an expected part of the process for enhanced security when 2FA is enabled, and I absolutely agree with that fundamental principle. The main emphasis here isn’t about the necessity of entering a code in general, but rather the frequency with which it’s required, even on devices we consider secure and use constantly, like our primary workstation.

My request isn’t to disable 2FA or reduce security. On the contrary, it’s to improve the user experience by adding an option like “Trust this device for X days,” a feature already common in many modern services (banking apps, email services, etc.). This would allow a user to bypass this step for a defined period on a device they are responsible for and confident in its security, while 2FA would still be fully enforced for all logins from different or new devices.

In essence, the goal is to provide a degree of flexibility and convenience on frequently used and user-verified trusted devices without compromising overall security. This can make daily use smoother and may even encourage broader adoption of 2FA.