amplify-flutter icon indicating copy to clipboard operation
amplify-flutter copied to clipboard
verified publisher icon aws-amplify

TOTP: How to know all Authenticators enabled for same client-id?

Open dkliss opened this issue 1 year ago • 0 comments

Description

Hi,

EDIT:

For TOTP setup, when a user scans a QR code and secret and then correctly run VerifyTotpSetup(), authenticator is successfully connected for that device and userID. However, if I re-run setUpTotp() and then instead of scanning the new code with Authenticator, I use code from previously scanned Authenticator client in VerifyTotpSetup(), this code is still accepted (no exception received) by VerifyTotpSetup(). What it seems that now Amplify have two secrets and from amplify perspective two Authenticators are registered i.e. old one and new one setup via setUpTotp(). I was wondering, if there is a way to check all Authenticators connected with a client and disable or enable those from client side.

otpauth://totp/MyAPP:<Cliend-id>?secret=<my-secret>A&issuer=MyApp

To reproduce follow below;

  1. Run setUpTotp().
  2. Scan code with Authenticator().
  3. Get code from Authenticator and enter correct code in in VerifyTotpSetup().
  4. Code works and Authenticator is connected.
  5. Re-Run setUpTotp() for same user. This will produce same client ID but different secret string.
  6. DO NOT Scan this code with Authenticator().
  7. Instead get code from previously scanned Authenticator and enter correct code in in VerifyTotpSetup().
  8. Code works even when secret is different but client-id is same <-- Guessing second secret is for second Authenticator and therefore old secret works and new will work if scanned again.
  9. Repeat steps from 5 to 8 multiple times and same behaviour is seen meaning each new QR code is indicating that a new Authenticator is attached to same client.

Categories

  • [ ] Analytics
  • [ ] API (REST)
  • [ ] API (GraphQL)
  • [X] Auth
  • [X] Authenticator
  • [ ] DataStore
  • [ ] Notifications (Push)
  • [ ] Storage

Steps to Reproduce

No response

Screenshots

No response

Platforms

  • [X] iOS
  • [ ] Android
  • [ ] Web
  • [ ] macOS
  • [ ] Windows
  • [ ] Linux

Flutter Version

3.19.1

Amplify Flutter Version

1.6.1

Deployment Method

Amplify CLI

Schema

No response

dkliss avatar Mar 01 '24 01:03 dkliss