TOTP Generate Recovery Codes MFA #965
Comments
drakkan
added a commit
that referenced
this issue
Aug 31, 2022
Fixes #965 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
drakkan
added a commit
that referenced
this issue
Aug 31, 2022
Fixes #965 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Area
Web Client MFA /web/client/mfa
Summary
Not sure if this is the expected behaviour, but a user required to use MFA has the option to generate recovery codes
even before configuring and enabling it on account . This option is available after logging in with username / password. This means an attacker that knows the user's password could potentially generate a bunch of recovery codes bypassing 2FA after it enabled on account at a later date.
Steps to reproduce as Admin
As an Admin create a new account for a user with a password but enable requirement for MFA.
Steps to reproduce the behavior user:
The user logs into the webclient and will get this page
on all other options when the user clicks they get image above
Scroll to bottom and click Generate codes and store it for later.
After enable 2FA
Expected behavior
Options to generate codes should not be visible until 2FA has been enabled on account i would have thought?
System info :
OS Name: Redhat
OS Version: 9
sftpgo version: SFTPGo 2.3.3-665016e-2022-08-05T08:54:48Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite +portable
sftpgo install source: Yum
The text was updated successfully, but these errors were encountered: