You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to use the second factor code more than once, e.g. when using the EmailTokenProvider. For security, I would expect that the second factor code becomes invalid after a successful login.
To reproduce:
Log in with two factors.
Log out
Log in with two factors, using the second factor code from step 1.
A possible workaround is to call UserManager.UpdateSecurityStampAsync(userId) after a successful two factor authentication. This will invalidate all issued second factor codes for the user.
The text was updated successfully, but these errors were encountered:
Thanks for posting that workaround, I've been trying to find a way to invalidate used codes.
I would also recommend calling that method before the code is generated, since any previous codes that have been generated that are still within the six minute window can be used if the user hasn't successfully signed in. Very strange that this functionality exists.
It is possible to use the second factor code more than once, e.g. when using the EmailTokenProvider. For security, I would expect that the second factor code becomes invalid after a successful login.
To reproduce:
A possible workaround is to call
UserManager.UpdateSecurityStampAsync(userId)
after a successful two factor authentication. This will invalidate all issued second factor codes for the user.The text was updated successfully, but these errors were encountered: