Google Authenticator
[resolved] Plugin ignoring leading zeros, codes can be reused (2 posts)

  1. heypete
    Posted 3 years ago #


    Two minor bugs that I've detected:

    1. The plugin seems to disregard leading zeros in the user-entered code.

    For example, say the correct code for a specific time is "000123". If the user enters "000123", they are granted access as expected. If the user enters "123", they are also granted access (this is unexpected).

    For that time interval, the strength of the OTP is effectively reduced to a much lower level. While it's unlikely that an adversary would attempt a short-but-valid code at the same time interval that such a code would be accepted, it's still a matter of concern.

    2. The same valid code can be reused within the same interval -- codes are not invalidated after a single use.

    RFC 6328 section 5.2 (which defines the TOTP algorithm) says this is a Bad Thing:

    Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.


  2. Henrik Schack
    Plugin Author

    Posted 3 years ago #

    I'll add that to my todo list, thanks

    Best regards
    Henrik Schack

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Google Authenticator
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.