I'm using the GoogleAuthenticator
nuget package for 2FA
authentication in an ASP.NET application. The issue being that the function ValidateTwoFactorPIN
always returns true
even when the authenticator app has already changed TOTP
code.
public TwoFactorSetupResponse Enable(string email)
{
var accountSecretKey = $"{SecretCode}-{email}";
var setupInfo = _twoFactorAuthenticator.GenerateSetupCode("App", email, Encoding.ASCII.GetBytes(accountSecretKey));
return new TwoFactorSetupResponse()
{
Account = setupInfo.Account,
ManualEntryKey = setupInfo.ManualEntryKey,
QrCodeSetupImageUrl = setupInfo.QrCodeSetupImageUrl,
};
}
public bool IsCodeValid(string email, string code)
{
var accountSecretKey = $"{SecretCode}-{email}";
return _twoFactorAuthenticator.ValidateTwoFactorPIN(accountSecretKey, code);
}
CodePudding user response:
That package's default drift tolerance is five minutes, so either test with smaller tolerance or wait until the tolerance window has passed.