vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Add verify step to TOTP 2FA setup

Open needToRoll opened this issue 3 years ago • 2 comments

Is your feature request related to a problem? Please describe. I recently tried to setup TOTP 2FA on my username-password users. Due to some issue with the my TOTP configuration the code my app generated and the code vault expected did not match. (I am currently tring to figure out what exactly caused this and I might open a separate issue/bug once I've narrowed it down) This could be avoided if the user was prompted to enter his generated OPT-Code during the MFA-setup.

Describe the solution you'd like Add an additional step to the MFA setup that prompts the user to enter a valid OTP token before the setup can be completed. This step could be added to the UI or the CLI or both.

Describe alternatives you've considered None

Explain any additional use-cases None

Additional context From what I can tell the OTP library you currently use suggests to have a verification step as part of the 2FA enrollment. See: https://github.com/pquerna/otp#user-enrollment It seems like I am not the only one who struggles with this... The impact of issues such as #17329 might be mitigated by implementing a verification step.

As a side note: If this is something you would be interested in I would be happy to contribute.

Questions and or feedback are welcome.

needToRoll avatar Nov 17 '22 23:11 needToRoll

Thanks for filing this issue. Would you please share your MFA configuration that caused the issue? There is a consideration to make for Android which is documented here. It basically says that Google Authenticator for Android supports only SHA1 as the value of algorithm.

hghaf099 avatar Nov 18 '22 17:11 hghaf099

Hi @hghaf099 I looked deeper into the TOTP Issue and it is indeed the case that my 2FA App indeed did not support other hashing algorithms. This is not only the case for Google Authenticater but Microsofts Authenticator as well. In fact I found only very few apps that actually supported reading the hashing algorithm from the QR code or OTP URL.

I tried two different Apps (before reporting this) but both seem to be affected by this issue. Sorry about that. I did not inted this to be a bug report but a feature request for a verification step.

However I still think this feature-request has some merit as it would prevent users from being locked out.

needToRoll avatar Nov 20 '22 11:11 needToRoll