Solved TFA: Backup codes seem to be a security risk

This topic has been solved
K

Kirby

Guest
When activating any two step authentication method, XenForo also generates a list of backups codes.

Those backup codes are stored as plaintext in the database and shown to the user when accessing account/two-step/backup/manage.

Storing those codes as plaintext in the database seems a security issue to me; if an attacker gets access to those codes, he can use them to log into accounts effectively bypassing stronger options (like TOTP) set up on accounts.

Therefore, backup...

Read more

Continue reading...