Potential Security Vulnerability: 6-Digit TOTP Code for Two-Factor Authentication
Hello,
I don’t know if it is the right place to share this observation but I have noticed an unusual behavior regarding the two-factor authentication on my Cloudflare account. The 6-digit TOTP code generated by my Google Authenticator app remained unchanged for several renewal cycles (I am not sure exactly how many, as I did not count).
At first, I thought it might be a bug in the Google Authenticator app. In that case, the TOTP code should not have allowed me to log in to my Cloudflare account after more than 30 seconds. But it did! Even after more than 2 minutes, I was still able to log in with the same TOTP code, which is not normal and constitutes a significant security vulnerability.
Since I know that Cloudflare provides TOTP two-factor authentication solutions to its clients to secure their own products (including myself), I am concerned that this could pose a security risk for other users as well, which is why I decided to inform you.
Could you please check if everything is correctly configured on your end or if there is a known issue that could explain this behavior?
FYI: I have observed that it is now working again: the code changes with each cycle.
Thank you in advance for your help.
Best regards,
Fred
1 Reply
Not from Cloudflare, but I know of multiple sites where the TOTP token works for a couple seconds after it expires to account for timedrift