0006154: TOTP secret is not changed after disabling --> reenabling - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006154	SOGo	Web Preferences	public	2025-10-17 10:56	2025-10-17 10:56

Reporter	Christian Mack	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	[Server] Linux	OS	Debian	OS Version	11 (Bullseye)
Product Version	5.12.5

Summary	0006154: TOTP secret is not changed after disabling --> reenabling
Description	The TOTP secret is not deleted by disabling 2FA in webinterface PReferences. Therefore you can not change your secret at all.
Steps To Reproduce	1) Login to SOGo webinterface with username + password only. 2) Open Preferences in SOGo webinterface. 3) Enable 2FA in SOGo webinterface. 4) Scan QR code (== secret) with TOTP app or device. 5) Copy TOTP code from app or device to verification field. 6) Store your change. 7) Logoff 8) Login again with username + password + TOTP code. ==> 2FA works correct. 9) Open Preferences. 10) Disable 2FA. 11) Store your change. 12) Logoff 13) Login again with username + password only. ==> 2FA disabling seems to works. 14) Open Preferences. 15) Enable 2FA again. 16) Do not scan the QR-Code with your TOTP app or device. 17) Copy TOTP code from app or device to verification field. 18) Store your change. ==> This should not work, as you did not scan the secret!!!! Obviously the secret was not deleted by disabling 2FA.
Additional Information	Scenario 1: You lose your TOTP device. For added security you want to change your SOGo TOTP secret. Scenario 2: An attacker intercepts your username + password. After logging in he activates 2FA. Therefore you are logged out. After changing your password and disabling 2FA, you activate 2FA yourself, but you will get the same secret as the attacker already has!
Tags	No tags attached.

Date Modified	Username	Field	Change
2025-10-17 10:56	Christian Mack	New Issue