Improve Protection Against Keyloggers #6
Description
Something I have been thinking about:
Let's say we login using our TFA code on one computer. If the time limit hasn't passed yet, is it possible to login on a second computer using the same TFA code?
If it is, this is a security problem. TFA should be a one-time code. If it is not, a keylogger will be able to capture our information and the attacker can login even though we are already logged in. Keyloggers are one of the things TFA is supposed to block.
To remedy:
We should store the TFA code that is used for successful login until the timeout.
When a user logins in, make sure they aren't using any of the TFA codes that are marked as used already.
After the timeout, clear old TFA codes from the 'used' table.
Perhaps add a config option to turn it off for debugging or if the admin doesn't care.
The current implementation (and many others I see on the web) is also vulnerable to screen readers. Standard practice is to *** the password field, but why don't we do this for the TFA field too?