Google Authenticator

by Brainvire Infotech Pvt. Ltd

Implement the power of Google Authentication features in your SuiteCRM platform for improved security.

Free 30 day trial

Try it Now

#4264 - Google Secret ID can be registered more than once and shows in plain text

Closed General Question created by TonyJ Verified Purchase a year ago

Hello,

we have implemented your MFA solution and I have a security cocern

The Google Secret ID is stored in plaintext in detailview/database - initially all users could until we customized so only admin could see - we deem this to be a security concern -should it not be saved as md5 hash or equivalent -- if it was not plain text and it needed to be regenerated (eg. User doesn't get email for some reason??)
can be registered more than once - we tested with the code and one user registered the secret ID with google authenticator app - then another registered an account with the same secret ID - we appreciate that you need the users' login/pass to get in before the google authenticator is required - however that is the weak security that Google Authenticator MFA is protecting against.

Thanks, Michael

Brainvire Infotech Pvt. Ltd Provider Affiliate
a year ago

Hello Michel,

Thank you for sharing your views and feedback.

Yes, we have worked on your feedback and added security in saving the google auth code.

You can download the latest plugin and use it.

Please share your feedback after using it. This is really important for us.

reply
- TonyJ Verified Purchase
  a year ago
  
  Hello - I downloaded the latest version - and I didn't see any change to the two issues I posted here.
  
  Can you please share the upgrade method - and what I am expecting to see.
  
  I did remove the plugin and added it again - and then went to a user that was not previously setup for MFA and had the same issues I posted.
  
  Thanks.
  
  reply

Brainvire Infotech Pvt. Ltd Provider Affiliate

a year ago

Hello TonyJ

Hope you are doing well!

Is your SuiteCRM a Vanilla Instance? And Which suitecrm version you are using?

As I installed it on Suite 7.12.5 and It worked well for the following points:
- - Email sent as per our two-factor selection.
- - In the database, we are saving encrypted auth code so on detail view.
- - While setting up another user we are getting different code.

Please find attached video and Images, It may help you.
https://knagdev.demo.aurocrm.com/GA.webm

If I miss anything, please let me know.

TonyJ Verified Purchase
a year ago

Hello,

fyi - we have SuiteCRM 7.12.5.

I can confirm: -- email sent to user with Secret ID -- Secret ID is encrypted in DB -- turn TWO FACTOR OFF - then back on again - a new Secret ID is sent to the User

I believe we are all good with one exception - i created an account on the google authenticator app using the Secret ID -- then I was able to setup another account on the Google Authenticator App again on the same device --- I was expecting that you can not use the Secret ID more than once? I need to get another device to test using the same secret ID - would this be a google auth matters vs. your plugin?

Thanks for your support.

reply
- Brainvire Infotech Pvt. Ltd Provider Affiliate
  a year ago
  
  Hello TonyJ,
  
  We cannot use the same Secret Id more than once. Because Authenticator Integration generates this Id.
  
  reply
Brainvire Infotech Pvt. Ltd Provider Affiliate
a year ago

For better understanding, We can also connect and discuss your issue on skype as well. Skype Id : aurocrm@hotmail.com

reply

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.

Saving Comment...

Google Authenticator

#4264 - Google Secret ID can be registered more than once and shows in plain text

Other add-ons of interest

Glances - Integrate SuiteCRM with all your apps