Closed bencroker closed 3 years ago
Is the user secret being initially set to their email address intentional? would it not be more secure to use the user's UID or to generate a random string?
https://github.com/born05/craft-twofactorauthentication/blob/fbafbc7a7d3c6ffac98b610c7aafa392067c0fa7/src/services/Verify.php#L172
Thanks @bencroker. Fixed in 2.8.1 This was correct usage with old TOTP library, definitely wrong in the current one.
Thanks!
Is the user secret being initially set to their email address intentional? would it not be more secure to use the user's UID or to generate a random string?
https://github.com/born05/craft-twofactorauthentication/blob/fbafbc7a7d3c6ffac98b610c7aafa392067c0fa7/src/services/Verify.php#L172