https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32369 Bug ID: 32369 Summary: Two Factor Authentication Can Be Bypassed If Catalog and Staff Client URL Aren't Properly Configured Change sponsored?: --- Product: Koha Version: 22.05 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: cslone@camdencountylibrary.org QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Ideally, there aren't any publicly accessible, production sites set up in the way described below, however there is a bypass of 2FA if there are (though this would still require a compromised PIN). I have a test environment of Koha on a local-network server. When I first set it up, I made the staff client address the IP of the server, and the OPAC the same IP at a specific port (xxx.xxx.xxx.xxx:8081). I've never gotten around to correcting that, and consequently when I'm logged into the staff client it also considers me to be logged in to the OPAC, and visa versa (at that point I can go to either the IP or the IP+Port to go between them). I set up two factor authentication on a staff account, which is working correctly when I log into the staff client. As expected, when I log into the OPAC there's no 2FA code requested, however I can then just go to the base IP (the staff client) and I will be logged into the staff client without having to deal with 2FA. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.