How long is the code valid? A change is not possible.

[RK202103]

How long is the code valid?
Is it possible to adjust the validity of the code? How is it possible?

[nursoda]

Currently, codes are valid infinitely and there's no possibility to configure a validity time period. I consider this a security issue to some extent. Question is: How long may a code be valid to not pose a risk, and what is user expectance. My first guess: 1h? I don't think 24h is necessary, one may easily send another code (abort login, re-login). In case we implemented 1h, does it still need to be configurable? I'd like to keep the app simple…

[binaryhq]

Any thoughts on this?

[nursoda]

While testing 2.2.0 release, we did a black box test: We tried to log in from two different devices:

1. Log in (username+password) on device A, 2FA→Email (wait)
2. Log in (username+password) on device B, 2FA→Email (wait)
3. (two emails with codes are sent and received)
4. Continue login 1. on device A but using the second code sent from device B → cannot be used
5. Continue login 2. on device B but using the first code sent from device A → cannot be used
6. (search for the 2FA codes in the database → no match)
7. Continue login 1. on device A using the first code sent → login successful
8. Continue login 2. on device B using the second code sent → login successful

This leads to several conclusions: 2FA codes…

1. can only be used on the device the login was started with
2. seem not to be stored persistently (to be verified further: what happens upon intermediate reboot?)
3. are not "overwritten" (concurrent logins do work fine)

Especially conclusion 1 implies that there is no immanent security risk, even if they were stored permanently.