Open Closed

Authenticator allows the user to enter the expired authentication code #6044


User avatar
0
aqudah81 created
  • ABP Framework version: v7.3.3
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • **Auth Server Separated (for Angular)
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

1- Log in to the system 2- Setup Authenticator app from my account 3- Enable two-factor authentication 4-Log out from the system and log in again 5- Select provider authenticator 6- Navigate to (google or Microsoft authenticator ) 7- Enter the authentication code from the app authenticator into the system, wait until it expires, and then press submit.

Actual result: The system allows the user to enter the expired authentication code and then enter it into the system

Expected result: The system should display an error message stating that the code is invalid or expired

Please can you see this video .


4 Answer(s)
  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hi,

    As per TOTP algorithm, the expiry time of one time password code is not controlled. So even if you are entering the expired code, it is really not expired. It is just expired in the time slice when the app generated it, but Azure AD B2C will accept it within time tolerance

    Please have a look at Microsoft explanation on the same issue with Microsoft Authenticator https://learn.microsoft.com/en-us/answers/questions/1045996/ad-b2c-custom-policy-microsoft-authenticator-totp

    Thank you, Anjali

  • User Avatar
    0
    shorhabelsc created

    Hi,

    Thank you for the feedback.

    Microsoft explanation is related to their own implementation in AD B2C service, which is not related to the authenticator app itself not is related to what ABP Code is actually doing. Each server decides how long will it accepts the OTP token; and in their case it seems to be up to 5min,

    Generally speaking It is common but not universal to accept, at a given time,

    1. the current token,
    2. the token from the previous window,
    3. the token for the next window. This is done as a partial mitigation for potential clock skew issues on the client that's generating the TOTP codes (e.g. your phone). In practice this means every code is valid for 1m30s, although sites may customize this (with or without changing the window size, which is typically not done because that parameter must be consistent system-wide).

    So the question, what is abp server code does in this regard? for how long it would accepts the token?

    Regards, Shorhabel

  • User Avatar
    0
    shorhabelsc created

    Hello

    I wonder if you have any feedback on the above

    regards, Shorhabel

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    abp uses the functionality provided by identity. No changes have been made.

    https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-7.0#mfa-totp-time-based-one-time-password-algorithm https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes?view=aspnetcore-7.0#totp-client-and-server-time-skew

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11