I am thinking of using 2-Factor Auth and as I was testing it, I had it send a code to my email and that entire process works well. But then I logged out and logged back in, had it send me another code, but the code was the exact same as the first time. I was expecting this code to be different.
Am I mistaken that this code should be different every time and only good for a one time use? I think it would be more secure if it is a 1-time use code.
6 Answer(s)
-
0
Can you share the relevant code?
-
0
When I say code in my post I am talking about the actual Security Code that is sent to my email. There is nothing to share since I am talking about the two-factor functionality that is built into ASP.NET Zero in the TokenAuthController.CS file.
-
0
Hi @joe704la, can you provide more information? which aspnetzero version you were using?
2FA code is generated every time when SendTwoFactorAuthCode is called.
See <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L185">https://github.com/aspnetzero/aspnet-ze ... er.cs#L185</a>
-
0
I am on the latest version. 5.6.1
-
0
<cite>joe704la: </cite> I am on the latest version. 5.6.1
MVCAJ or AspNetCoreAJ ?
-
0
Still occurs. But apparently it comes from Microsoft.Extensions.Identity.Core.UserManager base class. The line where the "new" code is generated is from TokenAuthController.SendTwoFactorAuthCode():
cacheItem.Code = await _userManager.GenerateTwoFactorTokenAsync(user, model.Provider);I don't understand why it is the same number but it often is, perhaps depending on timing? Indeed responses here suggest it is (I assume aspnetcore equivalents came out of MVC). Also implies possibly some way to change it. Could just randomly generate a code some other way since it is generated & checked against a cache.
https://stackoverflow.com/questions/42369268/how-to-prevent-generation-of-the-same-otps-in-mvc-2fa
