Two minor bugs that I’ve detected:
1. The plugin seems to disregard leading zeros in the user-entered code.
For example, say the correct code for a specific time is “000123”. If the user enters “000123”, they are granted access as expected. If the user enters “123”, they are also granted access (this is unexpected).
For that time interval, the strength of the OTP is effectively reduced to a much lower level. While it’s unlikely that an adversary would attempt a short-but-valid code at the same time interval that such a code would be accepted, it’s still a matter of concern.
2. The same valid code can be reused within the same interval — codes are not invalidated after a single use.
RFC 6328 section 5.2 (which defines the TOTP algorithm) says this is a Bad Thing:
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
- The topic ‘[Plugin: Google Authenticator] Plugin ignoring leading zeros, codes can be reused’ is closed to new replies.