keycloak icon indicating copy to clipboard operation
keycloak copied to clipboard
verified publisher icon keycloak

Reuse of token in TOTP is possible

Open cscs-nchalla opened this issue 3 years ago • 1 comments

Describe the bug

According to the document, the verifier should not accept the second attempt of the OTP after successful validation but KeyCloak is allowing using of the same OTP token multiple times within the timeframe.

https://www.rfc-editor.org/rfc/rfc6238.html#section-5

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

Version

18.0.0

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

cscs-nchalla avatar Aug 08 '22 07:08 cscs-nchalla

@abstractj @pedroigor this is a security bug

trixpan avatar Aug 12 '22 08:08 trixpan

@cscs-nchalla Thanks for creating this issue. I think it'd be good to deny used OTPs, but it'd be also nice to have a possibility for the admin to enable/disable the support for that. The thing is that it'd slightly change the behavior of the authentication process and the admin can decide, whether to use it or not.

WDYT?

DRAFT PR: #13867

mabartos avatar Aug 18 '22 17:08 mabartos