by Brainvire Infotech Pvt. Ltd

Implement the power of Google Authentication features in your SuiteCRM platform for improved security.

Free 30 day trial
Try it Now

#4264 - Google Secret ID can be registered more than once and shows in plain text

Closed General Question created by TonyJ Verified Purchase 2 years ago

Hello,

we have implemented your MFA solution and I have a security cocern

  1. The Google Secret ID is stored in plaintext in detailview/database - initially all users could until we customized so only admin could see - we deem this to be a security concern -should it not be saved as md5 hash or equivalent -- if it was not plain text and it needed to be regenerated (eg. User doesn't get email for some reason??)
  2. can be registered more than once - we tested with the code and one user registered the secret ID with google authenticator app - then another registered an account with the same secret ID - we appreciate that you need the users' login/pass to get in before the google authenticator is required - however that is the weak security that Google Authenticator MFA is protecting against.

Thanks, Michael

  1. BrainvireInfotech member avatar

    Brainvire Infotech Pvt. Ltd Provider Affiliate

    2 years ago

    Hello Michel,

    Thank you for sharing your views and feedback.

    Yes, we have worked on your feedback and added security in saving the google auth code.

    You can download the latest plugin and use it.

    Please share your feedback after using it. This is really important for us.

    • tonyj_desmaint.com member avatar

      TonyJ Verified Purchase

      2 years ago

      Hello - I downloaded the latest version - and I didn't see any change to the two issues I posted here.

      Can you please share the upgrade method - and what I am expecting to see.

      I did remove the plugin and added it again - and then went to a user that was not previously setup for MFA and had the same issues I posted.

      Thanks.

  2. BrainvireInfotech member avatar

    Brainvire Infotech Pvt. Ltd Provider Affiliate

    2 years ago

    Hello TonyJ
    
    Hope you are doing well!
    
    Is your SuiteCRM a Vanilla Instance? And Which suitecrm version you are using?
    
    As I installed it on Suite 7.12.5 and It worked well for the following points:
    - - Email sent as per our two-factor selection.
    - - In the database, we are saving encrypted auth code so on detail view.
    - - While setting up another user we are getting different code.
    
    Please find attached video and Images, It may help you.
    https://knagdev.demo.aurocrm.com/GA.webm
    
    If I miss anything, please let me know.
    

    220516-232446.png

    220516-232615.png

  3. tonyj_desmaint.com member avatar

    TonyJ Verified Purchase

    2 years ago

    Hello,

    fyi - we have SuiteCRM 7.12.5.

    I can confirm: -- email sent to user with Secret ID -- Secret ID is encrypted in DB -- turn TWO FACTOR OFF - then back on again - a new Secret ID is sent to the User

    I believe we are all good with one exception - i created an account on the google authenticator app using the Secret ID -- then I was able to setup another account on the Google Authenticator App again on the same device --- I was expecting that you can not use the Secret ID more than once? I need to get another device to test using the same secret ID - would this be a google auth matters vs. your plugin?

    Thanks for your support.

    • BrainvireInfotech member avatar

      Brainvire Infotech Pvt. Ltd Provider Affiliate

      2 years ago

      Hello TonyJ,

      We cannot use the same Secret Id more than once. Because Authenticator Integration generates this Id.

  4. BrainvireInfotech member avatar

    Brainvire Infotech Pvt. Ltd Provider Affiliate

    2 years ago

    For better understanding, We can also connect and discuss your issue on skype as well. Skype Id : aurocrm@hotmail.com

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...