Prevent 2fa token reuse #276
Comments
|
How do you "reuse" a 2FA authentication code? Would you please describe a scenario, in which a 2FA code is reused, causing a security risk? Generated codes like the email code are re-generated on each login. So each time you try to log into an account, a new code is generated and the old one becomes invalid. Time-based codes (TOTP codes) are changing each period, which is typically 30 seconds. So a time-based code is only valid for a very limited amount of time. In general, 2FA codes are only valid for the specific account they're generated for, so you cannot use a code that was generated for account A to pass 2FA for account B. |
|
I do agree that it's not a big security risk, though. But I feel it's a good practice to invalidate the code after each use. |
Only possible for time-based codes within a small time window. Though, how would an attacker acquire the authentication code? Any scenario that I could think of would require a severe security breach either on side of the user, or on the side of your system. |
|
If you really want to do that, you could listen to the check events, keep track of all the used authentication codes and throw an exception when a code is used. |
The library should support a feature to prevent 2FA token reuse.
Currently, we can use same token unlimited number of times before it expires
The text was updated successfully, but these errors were encountered: