The SecureDrop Journalist application permits users to configure two-factor
authentication, but it is not enforced for various security-sensitive admin operations. If an
admin password and session token are leaked, an attacker could alter passwords or
disable MFA for registered users without an MFA code. This issue is not a vulnerability
but a hardening recommendation to strengthen authentication security.
We will be investigating this further as part of ongoing work on MFA improvements.
We will be investigating this further as part of ongoing work on MFA improvements.