Audit Log (Tracking usage of MFA codes) #5
Description
It would be cool to know who's requesting/using MFA codes; especially for our critical accounts.
Context: Slack bots support interactive messages; such as messages with buttons.
Solution 1: Tracking after usage
The MFA slack message will include a "I used it" button. When clicked, the message will update by removing the button and adding the user's name to the message (something along the lines of "Used by @garyhtou")
Example:
-
Your SendGrid verification code is: 123456
[I used it button] - *user clicks button*
-
Your SendGrid verification code is: 123456
Used by @garyhtou
This solution keeps the quick and low-barrier user flow. You can glance at the Slack notification to get the code. However, the button likely won't be used.
Solution 2: Tracking before usage
Alternatively, we can hide the code until a user clicks a "I requested it" button. This will provide us with a more accurate audit log of who has accessed accounts. Having this public and accurate audit log may also help deter unnecessary access to accounts.
Example:
-
Your SendGrid verification code is: REDACTED
[I requested it button] - *user clicks button*
-
Your SendGrid verification code is: 123456
Used by @garyhtou
This solution would likely require some sort of short-term storage. This codebase currently is stateless (doesn't have a storage solution). We could maybe get creative and store the code in a hidden way within the slack message, then retrieve it from the slack message when responding to the button click. Or, we can set up a simple in-memory store (preferred).
Here are a couple of additional ideas based on this "tracking before usage" solution:
- This "tracking before usage" feature could be enabled for only some critical accounts. For example, if the SMS contains "SVB", then enable this feature for that Slack message. All other messages would function as they currently do.
- Only allow users in a whitelist to click the "I requested it" button. This whitelist could be defined as YAML/JSON. Example:
SVB: # if the SMS contains "SVB", then only the following slack users are allowed - "slack user id here" - "another slack user id here" "First Republic": - "slack user id here"