View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
20366Bug reportsSecuritypublic2025-11-21 12:282025-12-19 10:54
Reporterkemweb Assigned ToDenisChenu  
PrioritynoneSeveritytweak 
Status in code reviewResolutionopen 
Summary20366: TwoFactorAdminLogin secret should have 128 bits
Description

Common tools like FreeOTP consider less than 128 bits as unsafe.
The user gets an "Token is unsafe!" message
See https://github.com/freeotp/freeotp-android/issues/287#issuecomment-3270329291

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build).
I will donate to the project if issue is resolved
Browser
Database type & version
Server OS (if known)
Webserver software & version (if known)
PHP Version

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2025-12-03 10:10

developer   ~83980

https://github.com/LimeSurvey/LimeSurvey/pull/4559
DenisChenu

DenisChenu

2025-12-17 17:58

developer   ~84033

Decision needed

  1. Set 128 (or more) witjout any way to update
  2. Add a php config settings to allow setting to more than 128
kemweb

kemweb

2025-12-19 10:13

reporter   ~84044

I would prefer (2) to add this as config option in the plugin with a default of 160 (as they have in RobThree/TwoFactorAuth).
But I did not find the time to add the option myself, yet.
DenisChenu

DenisChenu

2025-12-19 10:38

developer   ~84045

But I did not find the time to add the option myself, yet.

OK i take it.

And maybe like that

    $secretlength = intval($this->get('secretlength', null, null, 0));
    if ($secretlength < 128) {
        $secretlength = 128;
    }
    $oTFAModel->secretKey = $o2FA->createSecret($secretlength);

Unless there is a possibility, however slim, that there is an advantage in bidding less than 128.
kemweb

kemweb

2025-12-19 10:54

reporter   ~84046

I see no reason to use less then 128 bit.
Smaller values create smaller qr codes but still no one should use less.

Issue History

Date Modified Username Field Change
2025-11-21 12:28 kemweb New Issue
2025-11-21 18:00 c_schmitz Project Feature requests => Bug reports
2025-11-21 18:00 c_schmitz Severity feature => tweak
2025-11-21 18:00 c_schmitz Complete LimeSurvey version number (& build) => .
2025-12-02 19:14 tibor.pacalat Assigned To => DenisChenu
2025-12-02 19:14 tibor.pacalat Status new => ready for code review
2025-12-03 10:10 DenisChenu Status ready for code review => in code review
2025-12-03 10:10 DenisChenu Note Added: 83980
2025-12-03 10:10 DenisChenu Bug heat 250 => 252
2025-12-17 17:57 DenisChenu Assigned To DenisChenu => tibor.pacalat
2025-12-17 17:58 DenisChenu Note Added: 84033
2025-12-19 10:13 kemweb Note Added: 84044
2025-12-19 10:13 kemweb Bug heat 252 => 254
2025-12-19 10:38 DenisChenu Note Added: 84045
2025-12-19 10:38 DenisChenu Assigned To tibor.pacalat => DenisChenu
2025-12-19 10:54 kemweb Note Added: 84046