CVE-2024-8796

Name of the Vulnerable Software and Affected Versions: Devise-Two-Factor versions 1.0.0 or >= 2.2.0 through < 6.0.0

Description: Under the default configuration, Devise-Two-Factor generates TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

Recommendations: For Devise-Two-Factor versions 1.0.0 or >= 2.2.0 through < 6.0.0, upgrade to version v6.0.0 as soon as possible. If upgrading is not possible, override the default otp secret length attribute in the model when configuring two factor authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long. After upgrading or implementing the workaround, consider migrating users to the new OTP length to provide increased protection for those accounts. Implement application logic that checks the length of a user's shared secret and prompts users to re-enroll in OTP.