Opened 6 years ago

Closed 6 years ago

#729 closed enhancement (fixed)

Check YubiKey password before user password

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: critical Milestone: YubiKey v1.2
Component: net.sf.basedb.yubikey Keywords:
Cc:

Description

The current implementation we first check if the regular user password is correct or not. If it is not correct an error message is displayed and the YubiKey OTP is never checked. This means that we are left with a valid YubiKey OTP not accounted for that could potentially be snapped up and used by someone else.

Ok, this is not as bad as it first sounds since YubiKey keeps track of the sequence of generated OTPs. Eg. an unusued OTP becomes invalid as soon as new OTP has been generated and validated against the server.

Change History (1)

comment:1 Changed 6 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed

(In [3133]) Fixes #729: Check YubiKey? password before user password

Re-ordered the checks in the YubiKeyAuthenticationManager so that the one-time-password is verified before the password.

Note: See TracTickets for help on using tickets.