Project: TFA Basic plugins
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness
The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or
The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.