[
https://issues.apache.org/jira/browse/GUACAMOLE-1068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1068:
-------------------------------------
Issue Type: Improvement (was: Bug)
> OTP key can be "intercepted" without the user knowing it if credentials are
> known until enrolment is finished
> -------------------------------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-1068
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1068
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-totp
> Affects Versions: 1.1.0
> Reporter: Marcos
> Priority: Minor
>
> When activating TOTP 2 factor authentication, the first time a user enters
> his credentials, the TOTP key is inserted in the database and the QR code is
> shown. If the user does not complete the enrollment by entering the OTP code,
> the key remains in the database and it will be reused next time he tries
> again.
> This opens a window between when the account is created and when the user
> indeed verifies the OTP token, where an attacker that already knows the
> username and password of the user, can get the generated OTP token. It will
> be the same that the user gets when he finishes enrolment. The user doesn't
> know that this key has been stolen and can be used in the future.
> Security would be increased if the key would be generated randomly every time
> until the pin code is entered and the enrolment process is finished, as the
> malicious user would get a different key, and only the key validated by
> entering the pin would be stored in the database. The attacker would be able
> to get a key, but when the legitimate user tries to login and the QR code is
> not displayed anymore the attack would be uncovered.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
