bug: Brand overwriting issuer for self-hosted services makes multiple instances indistinguishable #157
Labels
Bug
Something isn't working
Comments
|
After adding additional accounts I encountered something worse: I have and Posteo.de mail account, and every time the Label is something like Here is an example:
|
|
Also related: #130 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug type
Other
App version
5.4.5
Device environment
Android 11
Bug description
When adding at a self-hosted service (e.g. authentik) the user might have access to multiple instances of that service with different credentials.
Given the following otpauth URLs (note the different issuers):
otpauth://totp/example.com authentik:JohnDoe?secret=FFFFFFFF&algorithm=SHA1&digits=6&period=30&issuer=example.com authentikotpauth://totp/authentik of ACME Inc:JohnDoe?secret=ABABABAB&algorithm=SHA1&digits=6&period=30&issuer=authentik of ACME IncAfter importing the entries look like this:
2FAS sees the authentik substring and selects the authentik brand, which I generally like, because it adds the icon. But the brand will also overwrite the issuer, which contains information about which authentik instance the token belongs to. If the user has access to multiple authentik instances with the same username, the services become indistinguishable, because they’re all named "authentik".
authentik is just an example, different self-hosted applications might use different issuers. authentik uses the instance brand name as issuer, so depending on if the installation uses the word authentik in the instance brand name, this problem will occur, but other applications might enforce such a naming scheme.
Solution
Do not overwrite the issuer name provided by the otpauth URL by the brand name, or introduce a special flag for self-hosted brands, to not do so.
Additional context
#103 might be partly related
Acknowledgements
The text was updated successfully, but these errors were encountered: