Generate new secret key when resetting 2FA for a user
in progress
N
Neil Sargent
The “Require two step authentication reset” option on the Edit User form should generate a new TOTP secret key for the user’s 2FA setup.
Currently, this option only causes the user’s 2FA setup to be displayed as a QR Code at next login. However the secret key is not changed.
The most likely need for this option is to allow the user to setup their authenticator app because their previous authenticator has been lost or stolen. Since the same secret key is used for the setup, the lost or stolen authenticator can still be used. THIS IS A FUNDEMENTAL AND SERIOUS SECURITY FLAW.
NOTE: There is a current workaround to this problem. If the 2FA is disabled and enabled from the Security menu of the dashboard, then a new secret key is generated. However this requires the user to have Manage Computer permissions (otherwise they do not have a dashboard).
L
Loic Tanon
in progress
Planned in: TOK-1183
L
Loic Tanon
Hi Neil Sargent,
Thanks for your feedback, it is definitively true.
We are already fixing that. It will be pushed in the next day.
Thanks,
N
Neil Sargent
Loic Tanon: I have been considering this further and what is really required is _both_ a "reveal" function _and_ a "reset" function for the secret key.
The current system is a "reveal" function which is labelled as a reset.
The reveal function would reveal the user's secret key/QR Code so that they can setup additional authenticators.
The reset function would reset the user's secret key so that a lost/stolen authenticator can be disabled.
The Security menu on the dashboard provides this functionality but is not available to users without Manage Computer permission. Perhaps this could be made available to all users?
This would also allow users to reset their password and reveal/reset their TOTP token without intervention of an administrator. This might be construed as either an advantage or a disadvantage, so perhaps its inclusion could be configurable by the administrator.
To add the functionality to the Edit Menu, you could simply re-label the existing check box to "Reveal two step authentication setup at next logon" and add an additional checkbox to "Reset two step authentication secret key (this will disable all existing authenticators)"
Kind regards
Neil