Encourage the use of ssl to avoid replay attacks

Created on 29 August 2014, over 10 years ago

Updated 4 January 2025, 5 days ago

Currently the tfa system doesn't protect against one-time-use of all the tokens. A recovery code or sms code provided by tfa_basic are immediately used and cannot be re-used, but the TOTP code can be re-used inside of the interval (defaulted to 90 seconds).

If an attacker is able to sniff the traffic of a victim they can get username/password and the TOTP code which they can then re-use.

The README and perhaps project page should encourage the use of https/ssl and hsts to reliably encrypt traffic and reduce the likelihood of sniffing credentials or a one-time-use code.

📌 Task

Status

Active

Version

2.0

Component

Documentation

Created by

🇺🇸United States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 5 days ago →
🇺🇸United States cmlara
In preparation for D7 EOL in a couple days moving this to 2.x branch.

While using SSL should be 'common knowledge' for anyone deploying MFA I could see room for it to be included somewhere in the documentation. Possibly under the Install Hardening section? (Maybe rename to "Deployment Hardening" to be more agnostic to setup itself?). Could also be a good option to create a "Security Considerations" as I could see us desiring to document the DB storage and multi-environment related concerns.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024