Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TiQR token fails if user has multiple tokens #1739

Mipronimo opened this issue Jul 9, 2019 · 1 comment


Copy link

commented Jul 9, 2019

If a user has multiple challenge response token (e.g. TiQR and PUSH) he gets a QR-Code to scan. After entering the PIN in the TiQR app, a message like "Challenge not valid" appears.
If the user does not have other tokens, everything works as expected. The user will be successfully authenticated.


This comment has been minimized.

Copy link

commented Jul 9, 2019

I haven't tested this, but I believe the culprit is this check here:

if (len(challenges) == 1 and challenges[0].is_valid() and

This assumes that the transaction ID is unique, i.e. for any transaction ID, there is at most one challenge with this transaction ID. But is assumption isn't true (see #1355): If we have multiple challenge response tokens, we get several challenges with the same transaction ID.

As a fix, we should check each challenge with the given transaction ID.

Mipronimo added a commit that referenced this issue Jul 9, 2019

Fix TiQR token
closes #1739

@fredreichbier fredreichbier added bug and removed possible bug labels Jul 9, 2019

@fredreichbier fredreichbier added this to the 3.1 polishing policies milestone Jul 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.