PHPGangsta / GoogleAuthenticator

PHP class to generate and verify Google Authenticator 2-factor authentication
http://phpgangsta.de/4376
BSD 2-Clause "Simplified" License
2.26k stars 697 forks source link

QR Code Generator leaks secret to third party #32

Open phayes opened 8 years ago

phayes commented 8 years ago

When generating a QR code, this library sends the shared secret, which should be kept absolutely secret, to a third party website for processing into a QRcode image.

Leaking the shared secret like this is very undesirable in a security focused library. QRCode generation should happen locally.

PHPGangsta commented 8 years ago

You can of cause use your own QRCode generation library. The Google QRCode generator is just an easy and quick example. Google does not know which account it's connected to, and I guess has better things to do then trying to abuse the generated QRCodes...

I don't want to add a dependency to an external library, which many people don't need. And nobody stops you from calling createSecret() and feed that into your own local QRCode generator.

Maybe I should add a small comment, that for 100% security a user should not use the Google QRCode generator, but a local one? Can you recomment a good PHP QRCode generator which is easy to use as a dependency for local QRCode generation?

RobThree commented 8 years ago

You may want to take a look at this alternative. It allows for easy integration of your favorite QR code generator.

Having said that: yes, the secret should be kept secret as much as possible but there are a few things to consider:

TwoFactorAuth also mitigates other attack-vectors this library has (see issues and PR's) such as using a CSRNG by default (non CS (i.e. PRNG) opt-in/allowed though) and timing side-channel attacks and is available as a composer package and is has a very similar API with PHPGangsta's.

Full disclosure: I am the developer of the mentioned TwoFactorAuth library.