dotnet
ASP.NET Core Identity .NET 8 two factor authenticator does not comply with the rfc6238 standard
Hi, the two-factor authentication mechanism and, consequently, the validation of the OTP, generated through an Authenticator app, and validated with Asp.Net Core Identity .NET8 and earlier versions, do not comply with the RFC6238 standard. Below is what the documentation reports:
“We recommend a default time-step size of 30 seconds. This default value of 30 seconds is selected as a balance between security and usability.”
However, in the library, the value is set to 90 seconds forward and backward. Not only is this parameter significantly greater than the standard, but it is also not configurable, as indicated by the comment in the documentation:
“// Allow codes from 90s in each direction (we could make this configurable?)”
Additionally, there is an open issue numbered #14423 that has not yet been resolved.
Thanks
Expected Behavior
I expect the validation window to not be a HardCoded value, and to be configurable. Also I expect there is a solution to not accept the same OTP in a specific time window
.NET Version
.NET 8 and previous
Anything else?
ASP.NET Core Identity
