aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard

Published 20 hours ago verified publisher icon dotnet

ASP.NET Identity Core 2.1 - User can verify multiple times with the same two factor token

Open obastow opened this issue 6 years ago • 8 comments

Is your feature request related to a problem? Please describe.

When using a UserManager to verify a two factor token (VerifyTwoFactorTokenAsync), the same token can be verified successfully for a user more than once.

This violates Section 5.2 of RFC 6238, in particular,

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

Describe the solution you'd like

Once a token has been verified successfully, VerifyTwoFactorTokenAsync should return false for that token.

Additional context

A work-around we've found is to update a user's security stamp after a successful token verification, but this comes with its own issues, such as invalidating sessions in other browsers. Is there another way we should be doing this?

obastow avatar Sep 25 '19 15:09 obastow

Oh dear, we're veering from the spec. I've added this to be addressed in the next major release, because it will involve schema changes so it's not something we can do in a patch unfortunately.

blowdart avatar Sep 25 '19 17:09 blowdart

Same issue also for UserManager/VerifyChangePhoneNumberTokenAsync - the same phone code can be verified successfuly multiple times.

alinvoina avatar Jan 18 '21 15:01 alinvoina

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

ghost avatar Feb 19 '21 05:02 ghost

Per discussion with @blowdart moving this and related issues to backlog for now

HaoK avatar Feb 19 '21 05:02 HaoK

any updates about this?

sebastienlabine avatar Mar 04 '22 21:03 sebastienlabine

Any updates on issue? When can we expect the fix?

No1e avatar Jan 17 '24 04:01 No1e

Any update on this issue?

JMakhoul avatar Feb 20 '24 15:02 JMakhoul

I think it is already known, but in addition to the problem you have already highlighted, I have found that OTPs that have expired for much more than 30 seconds are also accepted, which seems quite 'serious' to me for a security system.

pampua84 avatar Mar 12 '24 14:03 pampua84

Our plan is to add something like "The TOTP should be kept secret because it can be used to authenticate successfully multiple times before it expires.” to https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes

The TOTP still offers a lot of additional security over just a password even if it can be used multiple times in a 30 second window. If an attacker can read arbitrary network traffic and sniff the TOTP from the form post, they'd usually be better off stealing the authentication cookie that will last a lot longer than 30 seconds.

halter73 avatar Apr 02 '24 21:04 halter73

Hi there! Could you please confirm whether it's possible to delete the user token after it has been used?

vinayaroratech avatar Apr 12 '24 12:04 vinayaroratech