Two factor code useable more than once #29

theglobe · 2020-05-18T10:13:16Z

It is possible to use the second factor code more than once, e.g. when using the EmailTokenProvider. For security, I would expect that the second factor code becomes invalid after a successful login.

To reproduce:

Log in with two factors.
Log out
Log in with two factors, using the second factor code from step 1.

A possible workaround is to call UserManager.UpdateSecurityStampAsync(userId) after a successful two factor authentication. This will invalidate all issued second factor codes for the user.

The text was updated successfully, but these errors were encountered:

nhendersn52 · 2020-08-14T13:01:55Z

Thanks for posting that workaround, I've been trying to find a way to invalidate used codes.
I would also recommend calling that method before the code is generated, since any previous codes that have been generated that are still within the six minute window can be used if the user hasn't successfully signed in. Very strange that this functionality exists.

theglobe · 2020-08-17T12:03:20Z

Good point! Thanks!

By the way, is this project still maintained or has it moved somewhere else?

theglobe · 2020-08-18T10:50:15Z

Described the workaround more elaborately in an answer on Stack Overflow

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Two factor code useable more than once #29

Two factor code useable more than once #29

theglobe commented May 18, 2020 •

edited

nhendersn52 commented Aug 14, 2020

theglobe commented Aug 17, 2020

theglobe commented Aug 18, 2020 •

edited

Two factor code useable more than once #29

Two factor code useable more than once #29

Comments

theglobe commented May 18, 2020 • edited

nhendersn52 commented Aug 14, 2020

theglobe commented Aug 17, 2020

theglobe commented Aug 18, 2020 • edited

theglobe commented May 18, 2020 •

edited

theglobe commented Aug 18, 2020 •

edited