What stops a user from running a process to update the .cache file every 30 minutes, effectively disabling 2FA forever? - Githubissues

google / google-authenticator-libpam

Apache License 2.0

1.76k stars 281 forks source link

What stops a user from running a process to update the .cache file every 30 minutes, effectively disabling 2FA forever? #152

Closed bersbersbers closed 4 years ago

bersbersbers commented 4 years ago

What stops a user from running a process to update the .cache file every 30 minutes, effectively disabling 2FA forever?

akerl commented 4 years ago

Likely the same thing that stops a user from adding “0000000” as a valid scratch code: if that’s part of your threat model, the cache and config files need to be stored somewhere the user can’t modify them

bersbersbers commented 4 years ago

@akerl thank you for the answer. I meant to post this as an issue for https://github.com/atodyl/google-authenticator-libpam-auth-cache and must have done it here by accident, but your answer explains perfectly well that the way of storing the auth cache in that project is not much more insecure that what this project is doing. Thanks again.

davama commented 4 years ago

@bersbersbers Thanks a pretty cool project! Thanks for referencing!

Would be a cool feature for this project :+1: