The required feature described as a wish
Description: A Static PIN is no more secure than a password. Arguably, it is not even a second factor at all, but merely a second step in the authentication process (more on this in the following findings). There may be cases where TOTP is not a viable option, and a Static PIN serves as an alternative. However, Static PIN should not be offered out-of-the-box or listed as an option, as users will naturally follow the path of least resistance toward the weaker method.
Affected Components: Management UI
Impact: The Static PIN makes the second factor as static and reusable as the password, defeating the purpose of 2FA. An attacker who obtains the PIN once retains persistent access. Replay attacks will succeed indefinitely, and the PIN is vulnerable to the same attacks as a password.
Steps to Reproduce:
- Log in to the CloudStack Management UI as a Root Admin.
- Navigate to Configuration > Global Settings.
- Search for
user.2fa.default.provider, user.2fa.providers.order, and user.2fa.providers.exclude.
- Observe that Static PIN is not excluded and may be presented as a selectable option.
Recommended Remediation: Adopt a secure-by-default, opt-out model: set user.2fa.default.provider to TOTP, set user.2fa.providers.order to TOTP only by default, and add the Static PIN provider to user.2fa.providers.exclude unless explicitly re-enabled by an administrator.
The required feature described as a wish
Description: A Static PIN is no more secure than a password. Arguably, it is not even a second factor at all, but merely a second step in the authentication process (more on this in the following findings). There may be cases where TOTP is not a viable option, and a Static PIN serves as an alternative. However, Static PIN should not be offered out-of-the-box or listed as an option, as users will naturally follow the path of least resistance toward the weaker method.
Affected Components: Management UI
Impact: The Static PIN makes the second factor as static and reusable as the password, defeating the purpose of 2FA. An attacker who obtains the PIN once retains persistent access. Replay attacks will succeed indefinitely, and the PIN is vulnerable to the same attacks as a password.
Steps to Reproduce:
user.2fa.default.provider,user.2fa.providers.order, anduser.2fa.providers.exclude.Recommended Remediation: Adopt a secure-by-default, opt-out model: set
user.2fa.default.providerto TOTP, setuser.2fa.providers.orderto TOTP only by default, and add the Static PIN provider touser.2fa.providers.excludeunless explicitly re-enabled by an administrator.