Improve 2FA Implementation - 2FA Secret Cannot be Rotated
Two Factor Authentication - 2FA Secret is not being rotated after single use means 2 Factor Authentication Secret Key remains the same every time whenever the user enables/disables the 2 Factor Authentication.
Steps To Reproduce:
- Login to your QR Planet account. Navigate to Account > Two-factor authentication.
- Enable 2FA by providing password (Note down Two Factor Authentication – 2FA Secret Key).
- Now logout and again login. Provide 2FA code. Navigate to the same page and disable Google Authenticator and log out.
- Login again and navigate to Account > Two-factor authentication.
- You will find that Two Factor Authentication - 2FA Secret Key remains the same every time and which was being used previously.
Impact:
The user can enable 2FA without scanning QR Code / Secret. If the user's device gets compromised, the attacker can recover the 2FA secret and hold on to it without the victim's notice. At the same time if the user notices this and tries to disable the attacker's access to their 2FA, it is not possible if the secret is not refreshed after disable/enable or some other
means.
Suggestion For Fix:
Credential rotation is an important part of enterprise-grade cybersecurity. It’s also realistically required for legal compliance, which is why so many cloud secrets management tools enable it.
Two Factor Authentication Secret Key should be rotated after every single
use.
test