Please Revert "New Login Flow"

[mepherion]

Can we revert the "New Login Flow" introduced by #1477 where you:

1. Enter email
2. Authenticate second factor (can be email, SMS or authenticator app)
3. Enter password
4. And finally you are logged in

Security-wise, this is worst than the standard practice of prompting email and password at the same time, then prompting for second factor. There is a good reason why majority of systems do not go this route:

• The "New Login Flow" allows one to identify whether or not an account exists by entering emails until you see options for sending SMS, email, or messages regarding checking authenticator app.
• The "New Login Flow" allows one to send spam email or SMS messages with authenticator codes by entering a valid email and keep pressing the resend button

Security is not about protecting access to your account and your notes. It's also about not leaking any information about accounts in the system.

[thecodrr]

Hey! Thank you for the feedback.

There is a good reason why majority of systems do not go this route

Notesnook's login is fundamentally different than other systems in that your password is used not only to authenticate but also to encrypt. The new login flow moves password to the end to completely disable an attacker from brute-forcing their way into a user's account.

The "New Login Flow" allows one to identify whether or not an account exists by entering emails until you see options for sending SMS, email, or messages regarding checking authenticator app.

This is mitigated by always prompting for 2FA regardless of whether an account exists or not. An attacker would have no way to accurately distinguish between an existing account & a non-existing account.

The "New Login Flow" allows one to send spam email or SMS messages with authenticator codes by entering a valid email and keep pressing the resend button

Yes but I don't think that is a security risk. The attacker has no way of knowing if anything is actually happening unless they have access to the 2FA device.

To mitigate spamming risk, we have added rate limits & in the future we can add rolling lockouts if a user requests too many 2FA codes.

Security is not about protecting access to your account and your notes. It's also about not leaking any information about accounts in the system.

I agree. That is exactly why we added the new login flow. It protects users' notes & also doesn't leak any information.

Please note that we didn't add this on a whim. There are drawbacks to this approach and it can certainly be improved.

[mepherion]

This is mitigated by always prompting for 2FA regardless of whether an account exists or not. An attacker would have no way to accurately distinguish between an existing account & a non-existing account

Currently, you can identify if an account exists by entering it in the sign-up page. If an account exists, it says "Email is invalid or already taken". So you can use that in the login flow to start sending emails with 2FA codes.

[thecodrr]

Yes, that is a known issue and it was present in the old login flow as well. We are working on mitigating this by making email confirmation mandatory.

Unfortunately, there is no way to completely prevent the extra 2FA emails without putting the password at risk (and hence the user). In this case, the extra emails can be taken as alerts to know that you are under attack and take preventive measures. Another thing we can do is let user lock out their account for a specific interval. So if they start receiving spam, they can quickly initial lock out and prevent any further login attempts until the lockout period ends. (Note: all this is just speculation at this point.)

The alternative is the older login flow which on the one hand did not send any extra 2FA emails/SMS but it also put the user's password at risk. It's a trade-off.