When activating any two step authentication method, XenForo also generates a list of backups codes.
Those backup codes are stored as plaintext in the database and shown to the user when accessing
Storing those codes as plaintext in the database seems a security issue to me; if an attacker gets access to those codes, he can use them to log into accounts effectively bypassing stronger options (like TOTP) set up on accounts.
Therefore, backup...
Read more
Continue reading...
Those backup codes are stored as plaintext in the database and shown to the user when accessing
account/two-step/backup/manage.Storing those codes as plaintext in the database seems a security issue to me; if an attacker gets access to those codes, he can use them to log into accounts effectively bypassing stronger options (like TOTP) set up on accounts.
Therefore, backup...
Read more
Continue reading...