Bouke Haarsma
Bouke Haarsma
@MarkusH @moggers87 I'd be happy to hear your feedback on this early draft.
...and only for the same user account. It's a valid use-case to share a phone number across multiple accounts (as backup).
The relevant part in the specification is the following: > We also RECOMMEND storing the keys securely in the validation system, > and, more specifically, encrypting them using tamper-resistant >...
A possible package to perform the encryption would be: https://github.com/pyca/cryptography.
I've looked into this and the issue is that this package only stores the [`PhoneDevice`](https://github.com/Bouke/django-two-factor-auth/blob/f9c86bd54ebac3c1d3198bb38e73b297296d274d/two_factor/models.py#L66-L69), but not the other `Device`s, most notably the `TOTPDevice`. So while we could encrypt some...
Without additional information, there's nothing much to look at here. I think the clock skew (drift) is stored somewhere on the OTP device, and I'm guessing here, maybe the clock...
What do you mean by additional authentication?
Good idea; it might be better to require 2FA confirmation before disabling 2FA. Something like "sudo mode" on Github.
Can you explain how 2fa can *always* be bypassed?
The specification is the following: > Note that a prover may send the same OTP inside a given time-step > window multiple times to a verifier. The verifier MUST NOT...