Update default OTP Window for Google TOTP to 1 per recommendation in RFC 6238 #240
Conversation
nathanjosiah
added
the
Component: 2FA
|
Hey @davidalger! Thanks for opening this. I think that you are correct that the window is too big. It looks like this was missed when two different approaches to the automation support were merged during our internal development. The intention was that the otp's were only valid for 30 seconds by default (as is the standard) and for automation (or whatever else) this could be increased to prevent issues with immediately expiring tokens. I think it makes sense to change that in this PR as well. Can you confirm that changing the default to |
nathanjosiah
added
enhancement
nathanjosiah
changed the title
nathanjosiah
removed
the
documentation
ghost
added
2.4-develop: 5️⃣
@nathanjosiah I will see if I can give this a run through with those settings and followup. On a related note, I ran a quick poll on this to see what some of my peers thought and just about every respondent agreed this should be very small window. Shortly thereafter I also found the RFC for TOTP which confirms that's what's typically expected. Seems everybody is on the same page, that the window should definitely be very small so we don't have codes valid for a long period of time.
I'm curious if you have context on why the OTP Window setting was added, as the previous 2FA implementation did not specify an OTP Window when it called Reviewing the implementation of |
Yes, it was added to support automation but it is also not uncommon to have this be adjusted. It's very common (even for tech giants like google/github) to allow more than one window to prevent the user from experiencing the same race conditions that automation has. That is, because of how the TOTP spec is designed, it's possible that a given token will only be valid for a few seconds which would cause it to expire before the server processes it.
Maybe, but system config isn't just for things that are often changed. There are plenty of settings that are only ever set once and never touched again.
Again, the purpose of this was to prevent instantly expiring tokens as described above. The default value only allows the current token. I think a reasonable default is current+last valid tokens as well as better description of the token. |
davidalger
changed the title
davidalger
changed the title
Absolutely. I've updated the PR to change the default OTP Window to 1 and have tested this on a local installation. The default value of 1 accomplishes just this, the current code plus one in the past and one in the future are considered valid. We can probably keep the settings in tests as-is without any unfortunate consequences. |
|
@magento run all tests |
|
@nathanjosiah Any chance this will make it into the pipeline for 2.4.1? I was really hoping that reporting this early in the beta period Magento would have pulled a security related fix like this into the initial 2.4 release. The window is far too wide as it stands currently. |
|
@magento run all tests |
|
Changes Approved |
|
@magento run Functional Tests CE,Functional Tests B2B |
|
@davidalger Merged! Thank you! |
|
Thanks @nathanjosiah for helping getting this moved to a good working solution. Appreciate it! |
5 participants
Description (*)
With the OTP Window being configurable, the description needs to describe what this number does. This default number of 30 equals a 15 minute validity period, 30 second time-step X otp_window of 30 == 900 seconds.
There is an added question here of whether a default value of 30 here even makes sense. I would tend to think it's way too high. TOTP codes are generally supposed to be valid for the time-step period, give or take a few seconds to account for different system times, but being able to use a code I generated 15 minutes ago (or 30 time-step periods ago) seems very excessive. I'll be happy to open a PR for that as well, or amend this one, if others agree here.
Fixed Issues (if relevant)
Manual testing scenarios (*)
Questions or comments
Contribution checklist (*)