Should the secret be more "secretive"?

born05 / craft-twofactorauthentication

Craft plugin for two-factor or two-step login using Time Based OTP.

MIT License

36 stars 26 forks source link

Should the secret be more "secretive"? #51

Closed bencroker closed 3 years ago

bencroker commented 3 years ago

Is the user secret being initially set to their email address intentional? would it not be more secure to use the user's UID or to generate a random string?

https://github.com/born05/craft-twofactorauthentication/blob/fbafbc7a7d3c6ffac98b610c7aafa392067c0fa7/src/services/Verify.php#L172

roelvanhintum commented 3 years ago

Thanks @bencroker. Fixed in 2.8.1 This was correct usage with old TOTP library, definitely wrong in the current one.

bencroker commented 3 years ago

Thanks!