[Koha-bugs] [Bug 20476] Two factor authentication for the staff client - omnibus

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476

Sam S <tech.sam at salinapublic.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tech.sam at salinapublic.org

--- Comment #6 from Sam S <tech.sam at salinapublic.org> ---
I've been testing the module in our install, working great so far, but I
noticed a few issues, both minor:

1. The authentication form field is not marked to be excluded from auto
completion. Because of this, after several weeks of use, every time I click on
the field, I see a list of all prior authentication codes used. This might be
possible to be used in an attack to reverse-engineer the secret key using past
codes and when they were entered. Information on how to disable auto
completionon form fields can be found here:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

2. There's currently no option to "trust current device" something that most
MFA modules include, so a user can mark a local device to be excluded from the
MFA check for an amount of time (typically a month or so)

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.