AspNetIdentity icon indicating copy to clipboard operation
AspNetIdentity copied to clipboard
verified publisher icon aspnet

Two factor code useable more than once

Open theglobe opened this issue 5 years ago • 3 comments

It is possible to use the second factor code more than once, e.g. when using the EmailTokenProvider. For security, I would expect that the second factor code becomes invalid after a successful login.

To reproduce:

  1. Log in with two factors.
  2. Log out
  3. Log in with two factors, using the second factor code from step 1.

A possible workaround is to call UserManager.UpdateSecurityStampAsync(userId) after a successful two factor authentication. This will invalidate all issued second factor codes for the user.

theglobe avatar May 18 '20 10:05 theglobe

Thanks for posting that workaround, I've been trying to find a way to invalidate used codes. I would also recommend calling that method before the code is generated, since any previous codes that have been generated that are still within the six minute window can be used if the user hasn't successfully signed in. Very strange that this functionality exists.

nhendersn52 avatar Aug 14 '20 13:08 nhendersn52

Good point! Thanks!

By the way, is this project still maintained or has it moved somewhere else?

theglobe avatar Aug 17 '20 12:08 theglobe

Described the workaround more elaborately in an answer on Stack Overflow

theglobe avatar Aug 18 '20 10:08 theglobe