- Issue created by @jnavane
- 🇺🇸United States cmlara
Do we need to restrict QR code that should be configured in only one device?
Fundamentally how would we even enforce that? We have to display the data to the use to configure.
The QR code is actually just a easy method method of the configuration data, many software token devices allow you to export the token secret and configuration data so even if we could some how detect when the photo of the QR code has been taken (we can't) a user could just export the data and import it onto a new device, or use the first scan to be to get the secret code data using a standard QR code reader and enter it themselves on any token device they choose.
For TOTP type tokens they are time based, its actually a part of the design of the TOTP protocol that all you need is the secret code and the current time to get a token. For HOTP token there is a counter involved instead of a clock, these usually are less useful to duplicate because you need to keep your tokens in sync on the counter so it makes less sense to duplicate them, though they have a higher risk of becoming out of sync with the authentication service.
Also until we get #3277090: Replace default validation plugin by use priority → there is an argument for making duplicate copies (stored in a secure location) to ensure one does not get locked out of their account.
the purpose TFA is to protect user authentication through one time verification code
This is the key part, TFA's job is to validate the token, proving the user has possession of the secret key/second factor token, its the users responsibility to protect that key.
The benefit with TFA is that a user is much less likely to loose both their password and their secret key at the same time (its possible just much less likely.)
There are of course ways to make this more secure, choosing a TFA method that is less shareable (would require appropriate plugins to be built) or issuing physical tamper resistant tokens to users that do not allow retrieving the secret key are a couple options that come to mind. These decisions of course are usually based on what your site needs are.
Ultimately its the site owner who needs to evaluate if software tokens are an acceptable security method compared to other possible methods given the known design risks around them.
- 🇮🇳India jnavane
Hi Cmlara,
Thanks for your response.
I Understand that, this is more about the use cases which we are taking here and it is end user responsibility to keep the QR secret key secure.
- Status changed to Fixed
over 1 year ago 2:43am 12 July 2023 Automatically closed - issue fixed for 2 weeks with no activity.