You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed a security vulnerability: the backup codes are stored as plain text in a database field. Specifically, authenticate_backup_code function checks if the list of stored backup codes includes the code entered by the user with backup_codes.include?(code) command:
The problem is, if the database leaks out, one can use the codes on the 2FA screen and bypass two factor authentication. A partial solution would be to encrypt the field that stores the backup codes with active record encryption or other methods. But it still makes the system vulnerable if both the database and the encryption key leaks out.
A conventional secure solution would be to generate a list of random backup codes but store only their hashes in the database. One of popular password hashing methods is bcrypt. Here is how to generate a code and its hash:
I noticed a security vulnerability: the backup codes are stored as plain text in a database field. Specifically,
authenticate_backup_code
function checks if the list of stored backup codes includes thecode
entered by the user withbackup_codes.include?(code)
command:The problem is, if the database leaks out, one can use the codes on the 2FA screen and bypass two factor authentication. A partial solution would be to encrypt the field that stores the backup codes with active record encryption or other methods. But it still makes the system vulnerable if both the database and the encryption key leaks out.
A conventional secure solution would be to generate a list of random backup codes but store only their hashes in the database. One of popular password hashing methods is bcrypt. Here is how to generate a code and its hash:
And here is how to check if the code entered by the user corresponds to the generated hash:
The text was updated successfully, but these errors were encountered: