[ https://issues.apache.org/jira/browse/GUACAMOLE-1068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Couchman updated GUACAMOLE-1068: ------------------------------------- Issue Type: Improvement (was: Bug) > OTP key can be "intercepted" without the user knowing it if credentials are > known until enrolment is finished > ------------------------------------------------------------------------------------------------------------- > > Key: GUACAMOLE-1068 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1068 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-auth-totp > Affects Versions: 1.1.0 > Reporter: Marcos > Priority: Minor > > When activating TOTP 2 factor authentication, the first time a user enters > his credentials, the TOTP key is inserted in the database and the QR code is > shown. If the user does not complete the enrollment by entering the OTP code, > the key remains in the database and it will be reused next time he tries > again. > This opens a window between when the account is created and when the user > indeed verifies the OTP token, where an attacker that already knows the > username and password of the user, can get the generated OTP token. It will > be the same that the user gets when he finishes enrolment. The user doesn't > know that this key has been stolen and can be used in the future. > Security would be increased if the key would be generated randomly every time > until the pin code is entered and the enrolment process is finished, as the > malicious user would get a different key, and only the key validated by > entering the pin would be stored in the database. The attacker would be able > to get a key, but when the legitimate user tries to login and the QR code is > not displayed anymore the attack would be uncovered. -- This message was sent by Atlassian Jira (v8.3.4#803005)