Area
Web Client MFA /web/client/mfa
Summary
Not sure if this is the expected behaviour, but a user required to use MFA has the option to generate recovery codes
even before configuring and enabling it on account . This option is available after logging in with username / password. This means an attacker that knows the user's password could potentially generate a bunch of recovery codes bypassing 2FA after it enabled on account at a later date.
Steps to reproduce as Admin
As an Admin create a new account for a user with a password but enable requirement for MFA.
Steps to reproduce the behavior user:
The user logs into the webclient and will get this page
on all other options when the user clicks they get image above
Scroll to bottom and click Generate codes and store it for later.
After enable 2FA
Expected behavior
Options to generate codes should not be visible until 2FA has been enabled on account i would have thought?
System info :
OS Name: Redhat
OS Version: 9
sftpgo version: SFTPGo 2.3.3-665016e-2022-08-05T08:54:48Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite +portable
sftpgo install source: Yum
Area
Web Client MFA /web/client/mfa
Summary
Not sure if this is the expected behaviour, but a user required to use MFA has the option to generate recovery codes
even before configuring and enabling it on account . This option is available after logging in with username / password. This means an attacker that knows the user's password could potentially generate a bunch of recovery codes bypassing 2FA after it enabled on account at a later date.
Steps to reproduce as Admin
As an Admin create a new account for a user with a password but enable requirement for MFA.
Steps to reproduce the behavior user:
The user logs into the webclient and will get this page
on all other options when the user clicks they get image above
Scroll to bottom and click Generate codes and store it for later.
After enable 2FA
Expected behavior
Options to generate codes should not be visible until 2FA has been enabled on account i would have thought?
System info :
OS Name: Redhat
OS Version: 9
sftpgo version: SFTPGo 2.3.3-665016e-2022-08-05T08:54:48Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite +portable
sftpgo install source: Yum