Project: TFA Basic plugins
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness
The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or
The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.
This vulnerability is mitigated by the fact that the site must be configured
to use SMS to deliver one-time login codes which is an uncommon
* If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1
Also see the TFA Basic plugins  project page.