Preventing an attacker from bypassing 2fa

Beginning in FileCloud 20.1, FileCloud only allows a user to set their phone number once. Once the phone number has been added, the user must contact their admin to change it. This prevents an attacker from obtaining a user name and password and then modifying the user's phone number to bypass two-factor authentication (2fa). It also prevents an attacker who has obtained the original phone number from restoring it to prevent the user from realizing there has been an attack.

To enable a user to only set their phone number once, the following setting appears in the config file:

define("TONIDOCLOUD_ENABLE_USER_SET2FASMS", 1);

To require users to contact their admin to set their phone number initially and to change it, set TONIDOCLOUD_ENABLE_USER_SET2FASMS to 0:

define("TONIDOCLOUD_ENABLE_USER_SET2FASMS", 0);

In addition, to prevent an attacker from gaining access with another user's token, if a token is invalid, the system clears it and requires the user to sign in again.