2 Factor Authentication Code can access multiple accounts

Hi guys,
i have created 2 factor authentication on virtualmin, however, a single qr code is able to access multiple accounts (even where those accounts have different ones configured in virtualmin).

for example, the code for my root account can also be used by other accounts on the same system for 2fa when logging in.

why is it doing this, what is wrong?

I think you’re misunderstanding what the QR code in 2FA does. It is how the private key for generating codes is added to your 2FA app. If you use the same secret to generate the QR for two accounts it will work for both accounts because it’s the same private key (though I somehow thought it was more complicated than that on the back end, but I guess not, if that’s the behavior you’re seeing…regardless, you shouldn’t use the same QR to seed multiple accounts).

When you setup 2FA did you maybe let your browser autofill the secret key with a saved key from the other user? That’s the only good explanation I can come up with. You’ll need to create a new key and scan the new QR code for one or both of the accounts. Just make sure you don’t use the same key for both.

I have noticed the following, when you upgrade to Webmin version 1.941 with Authentic theme version 19.50 (I know that this is not recommended) then two-factor authentication isn’t working at all. You can even login with keeping the token field blank.

I think this is what happens to the TS.

Nevertheless, would be nice if this could be fixed.

Ah, that’d be an actionable bug! (And, I guess if 2FA is actually broken, and not being verified, it’d explain the original topic.)

But, I can’t reproduce it even with theme 1.950, though I haven’t downgraded to version 1.941. Can you upgrade to the current version 1.942? And, also include your distro/version when following up (I don’t think it’s relevant, but I don’t really have any ideas, as it works for me).

Two-factor authentication is (also) not working on:

Operating system CentOS Linux 7.8.2003
Webmin version 1.942
Authentic theme version 19.46 and 19.50

I use Authy, switching to Google shows:
Failed to save two-factor authentication : The Perl module Authen::OATH needed for two-factor authentication is not installed. Use the Perl Modules page in Webmin to install it.

Don’t know it this has anything todo with it …but it worked before. When I change back to Authy I don’t see a failure notification, but I can still login without token.

FYI, on another server:

Operating system CentOS Linux 6.10
Webmin version 1.941 / 1.942
Authentic theme version 19.50

Two-factor authentication works fine … weird.

Operating system CentOS Linux 8.1.1911
Webmin version 1.942 Usermin version 1.791
Virtualmin version 6.09 Authentic theme version 19.46

Two-factor authentication doesn’t work

Operating system Debian Linux 9
Webmin version 1.942
Authentic theme version 19.47

Two-factor authentication works fine. Haven’t tried with 19.50

So, what I’m seeing is only Authy (or rather our implementation of it) is maybe the problem? Nobody is reporting Google Authenticator not working, right? (I mean, you’re missing a dependency, but that’s not a bug.)

My google 2fa works but Joe the issue has nothing to do with the same code being created for separate logins. I am not that stupid .

I have generated one code for my personal admin account in virtualmin and that code can be used to log into other accounts…it simply shouldnt be this way.

A code for adam admin account should only work with adam admin account…nothing else!

One code should automatically only work with a single user period!

Sorry, I didn’t mean to imply you’re stupid.

When you say “my google 2fa works” do you mean Google Authenticator is working correctly (not allowing multiple accounts to login with the same code)? And, presumably, that means you also have Authy setup and that is the one having this problem? If I can narrow it down I can reproduce it and fix it, or get Jamie to fix it.

Is this with Authy or Google?

virtualmin uses authy by default doesnt it?

I access the codes via two apps…

  1. google authenticator
  2. microsoft authenticator

to give an update, i added a new virtual server yesterday for a client…i was able to use my own 2fa to log into his account in virtualmin!

Is that supposed to happen?

No, that’s not supposed to happen. But, I really need some clarity here so I can reproduce the problem.

Are you using Authy or Google Authenicator when you setup 2FA in Virtualmin?

You said above that “my google 2fa works” do you mean that when you select Google Authenticator in Virtualmin’s 2FA setup you get correct behavior (i.e. codes don’t work across multiple accounts)?

2fa is enaabled in webmin not virtualmin and yes i have it set to google authenticator. Iam able to use the same code across multiple accounts

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.