daviftorres commented on issue #11776: URL: https://github.com/apache/cloudstack/issues/11776#issuecomment-4097900271
Unfortunately, this issue was automatically archived due to no activity for over 120 days. In any case, I want to follow up because I now have additional information and a technical explanation for why I think we (collaborators and maintainers) should take a closer look at this trivial-to-fix issue. RFC 6238 defines, among many other things, that TOTP codes last for 30 seconds by default. It also recommends accepting/tolerating ±1 time step to avoid issues like the one described here. See page 6, section 5.2 [[Link](https://www.rfc-editor.org/rfc/rfc6238#page-6)]. > We RECOMMEND that at most one time step is allowed as the network delay. As a counterexample, Microsoft is known for a poor implementation with a validation window as wide as ~3 minutes, prioritizing "better" user experience at the expense of security (not surprisingly). See articles from: - CSA published on 28 Jan 2025 [[Link](https://web.archive.org/web/20250212070034/https://cloudsecurityalliance.org/blog/2025/01/28/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass#)] - CSO published on 11 Dec 2024 [[Link](https://www.csoonline.com/article/3622369/microsoft-secretly-stopped-actors-from-snooping-on-your-mfa-codes.html?utm_source=chatgpt.com)]. To wrap up, I can confirm that every time I open the Duo Authenticator app, the 30-second countdown always starts from the maximum value. This behavior is not observed in Google or Microsoft Authenticator apps. The reason we should care about this poor implementation in the Cisco Duo app is that it is widely used in corporate environments (including mine) as the only company-approved MFA/2FA application. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
