[2FA] longevity of Backup-Codes

[DJCrashdummy]

as already mentioned in nextcloud/twofactor_totp#244, maybe just a question...
but shouldn't the Backup-Codes be cleared/deleted after an user disables his 2FA?

in the database they are still present, also for users which were completely deleted ages ago.

i'm not sure if this may even become a security issue, especially if a user enables 2FA again...

[kesselb]

@ChristophWurst 🏓 Is this still an issue?

server/apps/twofactor_backupcodes/lib/AppInfo/Application.php

Line 61 in ac33007

Util::connectHook('OC_User', 'post_deleteUser', $this, 'deleteUser');

I guess backup codes are deleted when a user is deleted. Backup codes are not deleted when all providers are disabled for a user but i'm not sure if this is necessary.

[DJCrashdummy]

maybe i'm guessing wrong, but IMHO this is even more a security issue for users which has disabled 2FA and enables it again: because then there are backup codes still valid(?) which the user probably has carelessly discarded (because he disabled 2FA anyway). and if he has even completely forgotten about them or does not create new backup-codes for what ever reason, there are still a bunch of valid backup codes floating around somewhere...!

[ChristophWurst]

@danielkesselberg correct, the codes get deleted when a users is deleted.

@DJCrashdummy we have to trust users that they stored their codes at a place where they can find them again later. One would otherwise also argue that we have to force user to re-generate codes once every x months because they would otherwise also loose access to them over time.

We can give them a hint when re-enabling 2FA though, sure. This is somewhat related to #11380. cc @rullzer

[DJCrashdummy]

@ChristophWurst you are right, but thats not my point:
i'm sure pretty much users expect backup codes (for 2FA) to get invalid/deleted as soon as he disables 2FA completely. and as a result the most careful person may carelessly discard (the supposed invalid) backup codes.

[ChristophWurst]

Did you read my last reply?

We can give them a hint when re-enabling 2FA though, sure.

[DJCrashdummy]

Did you read my last reply?

yes for sure!
a hint is good, but why don't make it bulletproof and close all even possible security issues by deleting the backup codes (or at least making them somehow invalid) as soon as 2FA is disabled?

[ChristophWurst]

backup codes (or at least making them somehow invalid) as soon as 2FA is disabled?

Scenario: phone is lost and totp is therefore invalid

Solution: disable TOTP for old phone, re-enable for new phone.

^ here it's just pain to have to re-generate the backup codes

But, as always, this project is open source and you're very welcome to implement a sophisticated and bullet proof solution and submit it as pull request.

[DJCrashdummy]

well... in this case, wouldn't it be better to have a "renew/reload"-button for the TOTP beside the en-/disable-box? - so backup codes can be deleted as soon as 2FA is disabled.

or an other solution: delete the backup codes some time (lets say a hour or day) after 2FA is disabled and not enabled again. maybe even a week is ok, but not keeping backup codes forever and staying valid even if the user enables 2FA after years again.

---

sadly i'm not a developer (just an advanced user and FOSS-enthusiast), so unfortunately i can't code such things myself... else i would probably do so, as i do it for little bugfixes which are possible with my skills.