Open evgenyneu opened 2 years ago
Thanks for the bug report @evgenyneu, do you want to contribute a pull request with the solution?
Otherwise, I'll take some time to fix this.
I don't mind adding bcrypt as a dependency since Rails had is as soft-dependency as well.
I noticed a security vulnerability: the backup codes are stored as plain text in a database field. Specifically,
authenticate_backup_code
function checks if the list of stored backup codes includes thecode
entered by the user withbackup_codes.include?(code)
command:The problem is, if the database leaks out, one can use the codes on the 2FA screen and bypass two factor authentication. A partial solution would be to encrypt the field that stores the backup codes with active record encryption or other methods. But it still makes the system vulnerable if both the database and the encryption key leaks out.
A conventional secure solution would be to generate a list of random backup codes but store only their hashes in the database. One of popular password hashing methods is bcrypt. Here is how to generate a code and its hash:
And here is how to check if the code entered by the user corresponds to the generated hash: