Skip to main content

Friendica Developers reshared this.

2 Factor & DB plaintext

!Friendica Developers

Hi all, I lost my mobile phone during the last festival and so my TOTP-App was gone forever. Unfortunately, I wasn't aware of my recovery codes, so I thought I would have to reset my accounts of Friendica.

But no! just use select code from 2fa_recorvery_codes where uid = 66 and used is NULL; and voilรก, I used the first code and was back in.

@Hypolite Petovan , isn't this a possible security issue, is it?? Storing such sensible data as plaintext. I think we should save it as hash like for passwords to make it impossible to read it again .. Yes, the downside is that there's no possibility to save recovery_codes from the settings-panel again, but tbh I feel a little bit unsafe, but maybe it's just a feeling :-)

in reply to Philipp Holzer Friendica Developers reshared this.

We hash passwords not just because we want to prevent someone having a database dump from logging in the website depending on this database, but also for the other websites users might use the same password for. There is no such risk for randomly generated recovery codes.

Additionally, the use of the recovery codes necessitates the use of the password (that you still had in your head/password manager), after all it's a second-factor authentication, which means that it can be freely compromised as long as the first factor (the password) is safe.

Still, we can hash these codes and as a result only show them once, it isn't that hard other than requiring someoneโ„ข to spend some quality time on this task.