Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2316

Reuse of TOTP is possible

XMLWordPrintable

    • False
    • None
    • False
    • Hide

      OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application.

      By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

      Show
      OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application. By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

      Customer is able to reproduce the issue with TOTP even in the latest version of RH SSO 7.6.1.  

      As suggested in SSOSUP-392

      issue is fixed in Keycloak 20 https://github.com/keycloak/keycloak/issues/13607

      Can we back port this for RH SSO 7.6.1? 

        1. OPT_issue_1.png
          OPT_issue_1.png
          162 kB
        2. OPT_issue_2.png
          OPT_issue_2.png
          145 kB
        3. OPT_issue_3.png
          OPT_issue_3.png
          285 kB

              pskopek@redhat.com Peter Skopek
              rhn-support-saatmaku Santoshi saatmaku
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: