Menu
▾
▴
1 Attachments
#4788 Two Factor Authentication using Authy bug: Login is allowed despite incorrect token or blank token field.
Enabled two factor authentication within webmin using Authy.
When logging in a two factor token field is present.
But it doesn't actually check for a valid token. You can input a token provided by Authy to authenticate as expected. But you can also leave the token field blank or provide a bogus token value and webmin will still allow you to successfully log in.
Is this a known issue, is there a solution?
I see that others have experienced this as well a few years back and were told it was going to be fixed.
https://sourceforge.net/p/webadmin/bugs/4406/
Are you sure that the user you are logging in as is enrolled for two-factor in Webmin?
Logging in as root and continuing with the 2fa authentication moved me forward. I notice after it was set up that if logged out of root and back in under my admin account 2fa w/ Authy was working, but if I disabled it under Admin (which it allows me to do) what happens is that the 'Security token field' is removed from the log in page but the requirement for a token still remains.
The username and password fields are still present but when logging in an error is thrown that asks for a security token, which can't be provided since the field no longer is there, bricking the webmin login. Is there a way to prevent an admin account from shooting themselves in the foot like this?
Good point ... I will add a check to prevent two-factor from being disabled globally if any users are currently enrolled.