Base solution for your next web application
Open Closed

Two Factor Code Question #5474


User avatar
0
joe704la created

I am thinking of using 2-Factor Auth and as I was testing it, I had it send a code to my email and that entire process works well. But then I logged out and logged back in, had it send me another code, but the code was the exact same as the first time. I was expecting this code to be different.

Am I mistaken that this code should be different every time and only good for a one time use? I think it would be more secure if it is a 1-time use code.


6 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team

    Can you share the relevant code?

  • User Avatar
    0
    joe704la created

    When I say code in my post I am talking about the actual Security Code that is sent to my email. There is nothing to share since I am talking about the two-factor functionality that is built into ASP.NET Zero in the TokenAuthController.CS file.

  • User Avatar
    0
    ryancyq created
    Support Team

    Hi @joe704la, can you provide more information? which aspnetzero version you were using?

    2FA code is generated every time when SendTwoFactorAuthCode is called.

    See <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L185">https://github.com/aspnetzero/aspnet-ze ... er.cs#L185</a>

  • User Avatar
    0
    joe704la created

    I am on the latest version. 5.6.1

  • User Avatar
    0
    ryancyq created
    Support Team

    <cite>joe704la: </cite> I am on the latest version. 5.6.1

    MVCAJ or AspNetCoreAJ ?

  • User Avatar
    0
    codescientists created

    Still occurs. But apparently it comes from Microsoft.Extensions.Identity.Core.UserManager base class. The line where the "new" code is generated is from TokenAuthController.SendTwoFactorAuthCode(): cacheItem.Code = await _userManager.GenerateTwoFactorTokenAsync(user, model.Provider);

    I don't understand why it is the same number but it often is, perhaps depending on timing? Indeed responses here suggest it is (I assume aspnetcore equivalents came out of MVC). Also implies possibly some way to change it. Could just randomly generate a code some other way since it is generated & checked against a cache.

    https://stackoverflow.com/questions/42369268/how-to-prevent-generation-of-the-same-otps-in-mvc-2fa