-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How long is the code valid? A change is not possible. #164
Comments
Currently, codes are valid infinitely and there's no possibility to configure a validity time period. I consider this a security issue to some extent. Question is: How long may a code be valid to not pose a risk, and what is user expectance. My first guess: 1h? I don't think 24h is necessary, one may easily send another code (abort login, re-login). In case we implemented 1h, does it still need to be configurable? I'd like to keep the app simple… |
Any thoughts on this? |
While testing 2.2.0 release, we did a black box test: We tried to log in from two different devices:
This leads to several conclusions: 2FA codes…
Especially conclusion 1 implies that there is no immanent security risk, even if they were stored permanently. |
How long is the code valid?
Is it possible to adjust the validity of the code? How is it possible?
The text was updated successfully, but these errors were encountered: