davift opened a new issue, #13336: URL: https://github.com/apache/cloudstack/issues/13336
### The required feature described as a wish <img width="892" height="623" alt="Image" src="https://github.com/user-attachments/assets/ca6944c2-3b2f-455c-9df7-53c9040f15fe"; /> **Description:** A Static PIN is no more secure than a password. Arguably, it is not even a second factor at all, but merely a second step in the authentication process (more on this in the following findings). There may be cases where TOTP is not a viable option, and a Static PIN serves as an alternative. However, Static PIN should not be offered out-of-the-box or listed as an option, as users will naturally follow the path of least resistance toward the weaker method. **Affected Components:** Management UI **Impact:** The Static PIN makes the second factor as static and reusable as the password, defeating the purpose of 2FA. An attacker who obtains the PIN once retains persistent access. Replay attacks will succeed indefinitely, and the PIN is vulnerable to the same attacks as a password. **Steps to Reproduce:** - Log in to the CloudStack Management UI as a Root Admin. - Navigate to Configuration > Global Settings. - Search for `user.2fa.default.provider`, `user.2fa.providers.order`, and `user.2fa.providers.exclude`. - Observe that Static PIN is not excluded and may be presented as a selectable option. **Recommended Remediation:** Adopt a secure-by-default, opt-out model: set `user.2fa.default.provider` to TOTP, set `user.2fa.providers.order` to TOTP only by default, and add the Static PIN provider to `user.2fa.providers.exclude` unless explicitly re-enabled by an administrator. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
