Two Factor Authentication Prevent Conflicting Accounts #978

Closed
opened 2025-11-02 03:44:09 -06:00 by GiteaMirror · 1 comment
Owner

Originally created by @daviian on GitHub (Aug 18, 2017).

  • Gitea version (or commit ref): 1.1.3
  • Git version: 2.1.4
  • Operating system: raspbian
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

If you have accounts on multiple gitea instances it could happen that you overwrite an existing TOTP Key. This is due to the way TOTP Authentication Apps handle entries, see https://github.com/google/google-authenticator/wiki/Conflicting-Accounts.
The circumstances under which this happens:

  • Same Application Name
  • Same Account Name
  • On both instances TOTP enabled

In the worst scenario a user can get locked out of one instance.
Happend to me once but fortunately had access to the database and was able to delete the entry in two_factor table.

I have already opened in issue at https://github.com/pquerna/otp/issues/20
Owner mentioned that library exposes all needed stuff to prevent this and a possible solution https://github.com/pquerna/otp/issues/20#issuecomment-323384960
Unfortunately with his proposed solution the problem still exists if same application name is used.
I'd rather use the URL from the gitea installation.

Originally created by @daviian on GitHub (Aug 18, 2017). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.1.3 - Git version: 2.1.4 - Operating system: raspbian - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description If you have accounts on multiple gitea instances it could happen that you overwrite an existing TOTP Key. This is due to the way TOTP Authentication Apps handle entries, see https://github.com/google/google-authenticator/wiki/Conflicting-Accounts. The circumstances under which this happens: - Same Application Name - Same Account Name - On both instances TOTP enabled In the worst scenario a user can get locked out of one instance. Happend to me once but fortunately had access to the database and was able to delete the entry in two_factor table. I have already opened in issue at https://github.com/pquerna/otp/issues/20 Owner mentioned that library exposes all needed stuff to prevent this and a possible solution https://github.com/pquerna/otp/issues/20#issuecomment-323384960 Unfortunately with his proposed solution the problem still exists if same application name is used. I'd rather use the URL from the gitea installation.
GiteaMirror added the type/enhancement label 2025-11-02 03:44:09 -06:00
Author
Owner

@daviian commented on GitHub (Aug 20, 2017):

@lunny As it is already merged I think it can be closed?

@daviian commented on GitHub (Aug 20, 2017): @lunny As it is already merged I think it can be closed?
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#978