[Koha-bugs] [Bug 20476] Two factor authentication for the staff client - omnibus
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 14 17:15:30 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
Sam S <tech.sam at salinapublic.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tech.sam at salinapublic.org
--- Comment #6 from Sam S <tech.sam at salinapublic.org> ---
I've been testing the module in our install, working great so far, but I
noticed a few issues, both minor:
1. The authentication form field is not marked to be excluded from auto
completion. Because of this, after several weeks of use, every time I click on
the field, I see a list of all prior authentication codes used. This might be
possible to be used in an attack to reverse-engineer the secret key using past
codes and when they were entered. Information on how to disable auto
completionon form fields can be found here:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
2. There's currently no option to "trust current device" something that most
MFA modules include, so a user can mark a local device to be excluded from the
MFA check for an amount of time (typically a month or so)
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list