Jump to content

Community

Two factor security answers are exposed in ACP


Recommended Posts

I noticed a member who had turned on two factor authentication and provided security answers. I don't believe it's security best practices to show these values to anyone looking at the member's account in plaintext, without some sort of action being taken that is logged. For example, a button to view the values that then logs the account who requested to view the values, or even better, only validate that the entered answer matched what the user specified without displaying the values at all.

Right now, the answers are available to anyone with permission to view without taking any action to see the answers. Please change this behavior to require a click on something that would insert "Paul E. viewed member's security questions and answers" or such in the account activity logs at a minimum.

Link to post
Share on other sites

There's already an own ACP permission for this.

Only administrators with the "Can view and edit members' two factor authentication settings?" permission are able to see and edit this. If you're worried that your administrators could abuse the system, don't give them the permission to view and edit this 🙂 

Link to post
Share on other sites
23 minutes ago, Daniel F said:

There's already an own ACP permission for this.

Only administrators with the "Can view and edit members' two factor authentication settings?" permission are able to see and edit this. If you're worried that your administrators could abuse the system, don't give them the permission to view and edit this 🙂 

I understand there's a separate permission, however I believe this data should not be shown without explicitly requesting it and logging that it was requested to be viewed. This should be an auditable activity.

Someone that has this permission should not be able to see the answers of every person who has supplied those answers just by viewing the member record in ACP.

Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy