Closed
Description
Summary
We need to ensure a minimum length for 2FA secret, current secret length by default is 80-bit (16 characters), but 128-bit (26 characters) is becoming minimum in some cases and the best default is 160-bit.
It's recommended to use 128-bit or 160-bit because some Authenticator apps may have problems with non-RFC-recommended lengths (Namely https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp).
Proposal
Just add some contextual config('fortify-options.two-factor-authentication.secret-length', 16), it will be retro compatible and secured as well.
In
<?php
/**
* Generate a new secret key.
*
* @param int $secret_length = 16
* @return string
*/
public function generateSecretKey(int $secret_length = 16 )
{
return $this->engine->generateSecretKey($secret_length);
}In
<?php
/**
* Enable two factor authentication for the user.
*
* @param mixed $user
* @param bool $force
* @return void
*/
public function __invoke($user, $force = false)
{
if (empty($user->two_factor_secret) || $force === true) {
$secret_length = (int) config('fortify-options.two-factor-authentication.secret-length', 16);
$user->forceFill([
'two_factor_secret' => encrypt($this->provider->generateSecretKey($secret_length)),
'two_factor_recovery_codes' => encrypt(json_encode(Collection::times(8, function () {
return RecoveryCode::generate();
})->all())),
])->save();
TwoFactorAuthenticationEnabled::dispatch($user);
}
}There is also some adaptation to do on
Metadata
Metadata
Assignees
Labels
No labels