TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

Project: TFA Basic plugins
Version: 7.x-1.0
Date: 2018-June-27
Security risk: *Less critical* 9∕25
Vulnerability: Insecure Randomness


The TFA Basic module enables you to use Two Factor Authentication via a
variety of plugins including TOTP and one-time codes delivered via email or

The module doesn't use a strong source of randomness, creating weak and
predictable one-time login codes that are then delivered using SMS. This
weakness does not affect the more common TOTP second factor.

This vulnerability is mitigated by the fact that the site must be configured
to use SMS to deliver one-time login codes which is an uncommon


* If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1

Also see the TFA Basic plugins [4] project page.


Add new comment